Commit Graph

523 Commits

Author SHA1 Message Date
Max Laier
d6a8d58875 Add an additional struct inpcb * argument to pfil(9) in order to enable
passing along socket information. This is required to work around a LOR with
the socket code which results in an easy reproducible hard lockup with
debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do
so later. The missing piece is to turn the filter locking into a leaf lock
and will follow in a seperate (later) commit.

This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in
forseeable future.

Suggested by:		rwatson
A lot of work by:	csjp (he'd be even more helpful w/o mentor-reviews ;)
Reviewed by:		rwatson, csjp
Tested by:		-pf, -ipfw, LINT, csjp and myself
MFC after:		3 days

LOR IDs:		14 - 17 (not fixed yet)
2004-09-29 04:54:33 +00:00
Max Laier
7ea7663ca4 Protect sockaddr_union definitions with a protecting define. This allows to
build kernels with FAST_IPSEC and PF. This is the least disruptive fix.

PR:		kern/71836
Reviewed by:	bms, various mailing lists
MFC after:	3 days
2004-09-23 12:44:40 +00:00
Max Laier
abd627ebb7 Break out altq_enable/disable from DIOC{START,STOP}ALTQ into seprate
functions that can be called from enable/disable pf as well. This improves
switching from non-altq ruleset to altq ruleset (and the other way 'round)
by a great deal and makes pfctl act like the user would except it to.

PR:		kern/71746
Tested by:	Aurilien "beorn" Rougemont (PR submitter)
MFC after:	3 days
2004-09-17 02:15:05 +00:00
Max Laier
4758aa2bd4 Reactivate skipping over bogus IPCP addresses on ppp interfaces. Be more
careful with the skip condition this time. Addresses are only not taken into
account if:
	- The interface is POINTTOPOINT
	- There is no route installed for the address
	- The user specified noalias (:0)
and	- We are looking at an IPv4 address.

This should be enough paranoia to not cause any false positives.

PR:	 	misc/69954
Discussed with:	yongari
MFC after:	4 days
2004-09-14 15:20:24 +00:00
Max Laier
f78086efb6 Move pf* init from SI_SUB_PSEUDO to SI_SUB_PROTO_IFATTACHDOMAIN where it is
save to call if_attachdomain from if_attach() (as done for if_loop.c). We
will now end up with a properly initialized if_afdata array and the nd6
callout will no longer try to deref a NULL pointer.

Still this is a temp workaround and the locking for if_afdata should be
revisited at a later point.

Requested by:			rwatson
Discussed with and tested by:	yongari (a while ago)
PR:				kern/70393
MFC after:			5 days
2004-09-14 03:12:01 +00:00
Max Laier
c9f6794e2e One more round on the H/W supported checksum code: Fix NICs that can't do
the pseudo header. We really need the TCP packet length here. This happens
to end up in ip->ip_len in tcp_input.c, but here we should get it from the
len function variable instead.

Submitted by:	yongari
Tested by:	Nicolas Linard, yongari (sparc64 + hme)
MFC after:	5 days
2004-09-11 11:18:25 +00:00
Andre Oppermann
5f56967319 From __FreeBSD_version 600001 on PFIL_HOOKS is permanently in the kernel and
doesn't require to include opt_pfil_hooks.h.
2004-08-27 20:01:08 +00:00
Max Laier
7fff37fc15 Use securelevel_gt instead of reading global securelevel unprotected.
Submitted by:	yongari
MFC after:	3 days
2004-08-22 15:23:48 +00:00
Nate Lawson
ca36a5dc0d This commit was generated by cvs2svn to compensate for changes in r133931,
which included commits to RCS files with non-trunk default branches.
2004-08-18 05:41:21 +00:00
Nate Lawson
aaff1d4cfa Add a padding member to the header overlaid on data allocated in the
ACPI_DEBUG case.  Without this, use of allocated memory is unaligned and
causes a trap on ia64.  Intel may fix this differently in a subsequent
release but this is adequate for now.

Submitted by:	marcel
MFC after:	2 days
2004-08-18 05:41:21 +00:00
Max Laier
e89d8405c7 Comment out rev. 1.4 after problems w/ IPv6, a better solution must be
found.
2004-08-16 17:58:12 +00:00
David Malone
1f44b0a1b5 Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSD
have already done this, so I have styled the patch on their work:

        1) introduce a ip_newid() static inline function that checks
        the sysctl and then decides if it should return a sequential
        or random IP ID.

        2) named the sysctl net.inet.ip.random_id

        3) IPv6 flow IDs and fragment IDs are now always random.
        Flow IDs and frag IDs are significantly less common in the
        IPv6 world (ie. rarely generated per-packet), so there should
        be smaller performance concerns.

The sysctl defaults to 0 (sequential IP IDs).

Reviewed by:	andre, silby, mlaier, ume
Based on:	NetBSD
MFC after:	2 months
2004-08-14 15:32:40 +00:00
Robert Watson
9baf5f2da1 Since if_oltr doesn't contain locking or run with INTR_MPSAFE, mark
the interface as IFF_NEEDSGIANT so if_start is run holding Giant.
2004-08-14 00:19:07 +00:00
Max Laier
571065e55f Loopback fix from Mathieu Sauve-Frankel:
Add missing check for NULL in DIOCCHANGERULE. This prevents a crash
	in certain rare cases.
2004-08-12 14:15:42 +00:00
Max Laier
01105bbf3b Loopback fix from Daniel Hartmeier:
pf_cksum_fixup() was called without last argument from
	normalization, also fixup checksum when random-id modifies ip_id.
	This would previously lead to incorrect checksums for packets
	modified by scrub random-id.

(Originally) Submitted by:	yongari
2004-08-12 13:59:44 +00:00
Max Laier
91a9e0b42b Loopback fix from Henning Brauer:
skip over interface addresses without IFA_ROUTE, fixes some issue
	with pppd

PR:	misc/69954
2004-08-12 13:54:50 +00:00
Hartmut Brandt
63fa1c3303 Exclusion list for easier import. 2004-08-11 12:25:09 +00:00
Hartmut Brandt
f3e103df9f This commit was generated by cvs2svn to compensate for changes in r133492,
which included commits to RCS files with non-trunk default branches.
2004-08-11 12:21:36 +00:00
Hartmut Brandt
e42ab7cde1 Virgin import of NgATM shared kernel/user part 1.1 2004-08-11 12:21:36 +00:00
Max Laier
8de5b6f306 Use in_cksum_skip() to calculate in4_cksum instead of doing handrolled magic
(that does not compile with !gcc). Moreover we get the benefit for all archs
that have a hand optimized in_cksum_skip().

Submitted by:	yongari
Tested by:	me (i386, extensivly), pf4freebsd ML (various)
2004-08-05 20:41:38 +00:00
Alexander Kabaev
7e86873d5c Initialize s variable early to shut up GCC warnings.
Do not declare inline functions without body as this is useless in
general and generates a warning with GCC 3.4.x.

Glanced over by:	dhartmei
2004-07-28 06:14:44 +00:00
Max Laier
c99c1da589 Fix the following LOR on pf module unload:
1st ifnet (ifnet) @/usr/src/sys/contrib/pf/net/pf_if.c:191
2nd pf task mtx (pf task mtx) @/usr/src/sys/contrib/pf/net/pf_if.c:197

Reported by:	Pyun YongHyeon (a long time ago)
2004-07-23 03:37:05 +00:00
Max Laier
bb73d87a1e Refine pf_check_proto_cksum() a bit in order to avoid additional in_pseudo()
calls further down the stack. If we find the cksum to be okay we pretend
that the hardware did all the work and hence keep the upper layers from
checking again.

Submitted by:	Pyun YongHyeon
2004-07-23 03:31:42 +00:00
Max Laier
e89865e516 Fix a stupid attemp to apply host arithmetics to network byte ordered data.
This fixes checksum for some drivers with partial H/W ckcsum offloads.

Reported by:	Simon 'corecode' Schubert, Devon H. O'Dell, hmp
Reviewed by:	Pyun YongHyeon
2004-07-18 14:25:48 +00:00
Max Laier
a9ce8750b6 m_tag_copy takes an additional "how" parameter in FreeBSD.
Submitted by:	rwatson
2004-07-18 00:51:56 +00:00
Max Laier
0ad9506fab Merge in a stable fix from OpenBSD:
MFC:
  Fix by dhartmei@

  change pf_route() loop detection: introduce a counter (number of times
  a packet is routed already) in the mbuf tag, allow at most four times.
  Fixes some legitimate cases broken by the previous change.

Reviewed by:	dhartmei
2004-07-17 17:15:15 +00:00
Max Laier
c550f2206d Define semantic of M_SKIP_FIREWALL more precisely, i.e. also pass associated
icmp_error() packets. While here retire PACKET_TAG_PF_GENERATED (which
served the same purpose) and use M_SKIP_FIREWALL in pf as well. This should
speed up things a bit as we get rid of the tag allocations.

Discussed with:	juli
2004-07-17 05:10:06 +00:00
Poul-Henning Kamp
3f4324df4d Send the fla driver in the Attic 2004-07-13 17:44:17 +00:00
Darren Reed
781950a42f Clean up a bunch of white-space difference with IPFilter source as well as
remove some superfluous assignments for .d_version/.d_flags in a cdevsw
structure initialisation that never sees the light of day in FreeBSD.
2004-07-11 10:13:05 +00:00
Hartmut Brandt
8339b15086 Virgin import of NgATM share kernel/user part 1.0 2004-07-08 16:39:03 +00:00
Hartmut Brandt
72767e9575 This commit was generated by cvs2svn to compensate for changes in r131826,
which included commits to RCS files with non-trunk default branches.
2004-07-08 16:39:03 +00:00
Mark Santcroos
bde5ba82c2 Local change: Allow access to the field if it is within the region
size rounded up to a multiple of the access byte width.  This overcomes
"off-by-one" programming errors in the AML often found in Toshiba
laptops.
2004-07-02 08:38:55 +00:00
Mark Santcroos
2e8f631a0d Local diff: allow use of the disassembler. 2004-07-02 08:37:56 +00:00
Mark Santcroos
727fde6f33 Unchanged files that are off the vendor branch. 2004-07-02 08:34:19 +00:00
Mark Santcroos
671d52d8aa Vendor import of Intel ACPI-CA 20040527 2004-07-02 08:14:36 +00:00
Mark Santcroos
648474d5f4 This commit was generated by cvs2svn to compensate for changes in r131440,
which included commits to RCS files with non-trunk default branches.
2004-07-02 08:14:36 +00:00
Darren Reed
be134cb640 Mess from update & merge - don't release the ifnet lock twice, just once
and after we're finished with it.
2004-06-29 03:39:06 +00:00
Brooks Davis
f889d2ef8d Major overhaul of pseudo-interface cloning. Highlights include:
- Split the code out into if_clone.[ch].
 - Locked struct if_clone. [1]
 - Add a per-cloner match function rather then simply matching names of
   the form <name><unit> and <name>.
 - Use the match function to allow creation of <interface>.<tag>
   vlan interfaces.  The old way is preserved unchanged!
 - Also the match function to allow creation of stf(4) interfaces named
   stf0, stf, or 6to4.  This is the only major user visible change in
   that "ifconfig stf" creates the interface stf rather then stf0 and
   does not print "stf0" to stdout.
 - Allow destroy functions to fail so they can refuse to delete
   interfaces.  Currently, we forbid the deletion of interfaces which
   were created in the init function, particularly lo0, pflog0, and
   pfsync0.  In the case of lo0 this was a panic implementation so it
   does not count as a user visiable change. :-)
 - Since most interfaces do not need the new functionality, an family of
   wrapper functions, ifc_simple_*(), were created to wrap old style
   cloner functions.
 - The IF_CLONE_INITIALIZER macro is replaced with a new incompatible
   IFC_CLONE_INITIALIZER and ifc_simple consumers use IFC_SIMPLE_DECLARE
   instead.

Submitted by:   Maurycy Pawlowski-Wieronski <maurycy at fouk.org> [1]
Reviewed by:    andre, mlaier
Discussed on:	net
2004-06-22 20:13:25 +00:00
Darren Reed
01dbed783b revert section of code that calls netisr_queue() to match v1.33 of this file 2004-06-22 05:20:30 +00:00
Darren Reed
5e9c7ec5dc #ifdef's for FreeBSD are wrong, causing too many variable declaractions to
disappear.
2004-06-22 05:16:29 +00:00
Darren Reed
27944d9422 one too many #endif's from the update broke the build 2004-06-22 02:44:06 +00:00
Darren Reed
7b807523f4 Update ipfilter from 3.4.31 -> 3.4.35. Some important changes:
* block packets that fail to create state table entries
* only allow non-fragmented packets to influence whether or not a logged
  packet is the same as the one logged before.
* correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
* implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
  and ipf_nattable_max)
* frsynclist() wasn't paying attention to all the places where interface
  names are, like it should.
* fix comparing ICMP packets with established TCP state where only 8 bytes
  of header are returned in the ICMP error.

MFC after:	1 week
2004-06-21 22:46:36 +00:00
Poul-Henning Kamp
cb5cb48675 Add missing <sys/module.h> include.
Approved by:	sam
2004-06-18 08:53:55 +00:00
Max Laier
c0d431fe31 Import two fixes from the OpenBSD stable branch:
- prevent an endless loop with route-to lo0, fixes PR 3736 (dhartmei@)
 - The rule_number parameter for pf_get_pool() needs to be 32 bits, not 8 -
   this fixes corruption of the address pools with large rulesets.
   (mcbride@, pb@)

Reviewed-by:	dhartmei
2004-06-17 16:59:47 +00:00
Max Laier
7c1fe95333 Commit pf version 3.5 and link additional files to the kernel build.
Version 3.5 brings:
 - Atomic commits of ruleset changes (reduce the chance of ending up in an
   inconsistent state).
 - A 30% reduction in the size of state table entries.
 - Source-tracking (limit number of clients and states per client).
 - Sticky-address (the flexibility of round-robin with the benefits of
   source-hash).
 - Significant improvements to interface handling.
 - and many more ...
2004-06-16 23:24:02 +00:00
Max Laier
779616355a This commit was generated by cvs2svn to compensate for changes in r130610,
which included commits to RCS files with non-trunk default branches.
2004-06-16 23:03:14 +00:00
Max Laier
32b3098356 Import pf from OpenBSD 3.5 (OPENBSD_3_5_BASE) 2004-06-16 23:03:14 +00:00
Poul-Henning Kamp
89c9c53da0 Do the dreaded s/dev_t/struct cdev */
Bump __FreeBSD_version accordingly.
2004-06-16 09:47:26 +00:00
Max Laier
7421be0528 Disable "bulk dequeue" when enabling ALTQ so it does not irritate the
timing.
2004-06-15 23:59:37 +00:00
Max Laier
4cb655c020 Transform tbr_dequeue into a function pointer in order to build drivers with
ALTQ enabled versions of IFQ_* macros by default, as requested by serveral
others. This is a follow-up to the quick fix I committed yesterday which
turned off the ALTQ checks for non-ALTQ kernels.
2004-06-15 01:45:19 +00:00