2005-01-07 01:45:51 +00:00
|
|
|
/*-
|
2017-11-20 19:43:44 +00:00
|
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
*
|
1999-12-07 17:39:16 +00:00
|
|
|
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
2018-06-05 21:24:59 +00:00
|
|
|
* Copyright (c) 2018 Andrey V. Elsukov <ae@FreeBSD.org>
|
1999-12-07 17:39:16 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. Neither the name of the project nor the names of its contributors
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
2014-10-14 13:31:47 +00:00
|
|
|
*
|
|
|
|
* $KAME: if_gif.c,v 1.87 2001/10/19 08:50:27 itojun Exp $
|
1999-12-07 17:39:16 +00:00
|
|
|
*/
|
|
|
|
|
2014-10-14 13:31:47 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
1999-12-07 17:39:16 +00:00
|
|
|
#include "opt_inet.h"
|
|
|
|
#include "opt_inet6.h"
|
|
|
|
|
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/systm.h>
|
|
|
|
#include <sys/kernel.h>
|
2014-10-14 13:31:47 +00:00
|
|
|
#include <sys/lock.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
#include <sys/malloc.h>
|
|
|
|
#include <sys/mbuf.h>
|
2004-05-30 20:27:19 +00:00
|
|
|
#include <sys/module.h>
|
2014-10-14 13:31:47 +00:00
|
|
|
#include <sys/rmlock.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/sockio.h>
|
2014-10-14 13:31:47 +00:00
|
|
|
#include <sys/sx.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
#include <sys/errno.h>
|
|
|
|
#include <sys/time.h>
|
2002-02-26 01:56:56 +00:00
|
|
|
#include <sys/sysctl.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
#include <sys/syslog.h>
|
Fix and add a workaround on an issue of EtherIP packet with reversed
version field sent via gif(4)+if_bridge(4). The EtherIP
implementation found on FreeBSD 6.1, 6.2, 6.3, 7.0, 7.1, and 7.2 had
an interoperability issue because it sent the incorrect EtherIP
packets and discarded the correct ones.
This change introduces the following two flags to gif(4):
accept_rev_ethip_ver: accepts both correct EtherIP packets and ones
with reversed version field, if enabled. If disabled, the gif
accepts the correct packets only. This flag is enabled by
default.
send_rev_ethip_ver: sends EtherIP packets with reversed version field
intentionally, if enabled. If disabled, the gif sends the correct
packets only. This flag is disabled by default.
These flags are stored in struct gif_softc and can be set by
ifconfig(8) on per-interface basis.
Note that this is an incompatible change of EtherIP with the older
FreeBSD releases. If you need to interoperate older FreeBSD boxes and
new versions after this commit, setting "send_rev_ethip_ver" is
needed.
Reviewed by: thompsa and rwatson
Spotted by: Shunsuke SHINOMIYA
PR: kern/125003
MFC after: 2 weeks
2009-06-07 23:00:40 +00:00
|
|
|
#include <sys/priv.h>
|
Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)
Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.
From my notes:
-----
One thing where FreeBSD has been falling behind, and which by chance I
have some time to work on is "policy based routing", which allows
different
packet streams to be routed by more than just the destination address.
Constraints:
------------
I want to make some form of this available in the 6.x tree
(and by extension 7.x) , but FreeBSD in general needs it so I might as
well do it in -current and back port the portions I need.
One of the ways that this can be done is to have the ability to
instantiate multiple kernel routing tables (which I will now
refer to as "Forwarding Information Bases" or "FIBs" for political
correctness reasons). Which FIB a particular packet uses to make
the next hop decision can be decided by a number of mechanisms.
The policies these mechanisms implement are the "Policies" referred
to in "Policy based routing".
One of the constraints I have if I try to back port this work to
6.x is that it must be implemented as a EXTENSION to the existing
ABIs in 6.x so that third party applications do not need to be
recompiled in timespan of the branch.
This first version will not have some of the bells and whistles that
will come with later versions. It will, for example, be limited to 16
tables in the first commit.
Implementation method, Compatible version. (part 1)
-------------------------------
For this reason I have implemented a "sufficient subset" of a
multiple routing table solution in Perforce, and back-ported it
to 6.x. (also in Perforce though not always caught up with what I
have done in -current/P4). The subset allows a number of FIBs
to be defined at compile time (8 is sufficient for my purposes in 6.x)
and implements the changes needed to allow IPV4 to use them. I have not
done the changes for ipv6 simply because I do not need it, and I do not
have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.
Other protocol families are left untouched and should there be
users with proprietary protocol families, they should continue to work
and be oblivious to the existence of the extra FIBs.
To understand how this is done, one must know that the current FIB
code starts everything off with a single dimensional array of
pointers to FIB head structures (One per protocol family), each of
which in turn points to the trie of routes available to that family.
The basic change in the ABI compatible version of the change is to
extent that array to be a 2 dimensional array, so that
instead of protocol family X looking at rt_tables[X] for the
table it needs, it looks at rt_tables[Y][X] when for all
protocol families except ipv4 Y is always 0.
Code that is unaware of the change always just sees the first row
of the table, which of course looks just like the one dimensional
array that existed before.
The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
are all maintained, but refer only to the first row of the array,
so that existing callers in proprietary protocols can continue to
do the "right thing".
Some new entry points are added, for the exclusive use of ipv4 code
called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
which have an extra argument which refers the code to the correct row.
In addition, there are some new entry points (currently called
rtalloc_fib() and friends) that check the Address family being
looked up and call either rtalloc() (and friends) if the protocol
is not IPv4 forcing the action to row 0 or to the appropriate row
if it IS IPv4 (and that info is available). These are for calling
from code that is not specific to any particular protocol. The way
these are implemented would change in the non ABI preserving code
to be added later.
One feature of the first version of the code is that for ipv4,
the interface routes show up automatically on all the FIBs, so
that no matter what FIB you select you always have the basic
direct attached hosts available to you. (rtinit() does this
automatically).
You CAN delete an interface route from one FIB should you want
to but by default it's there. ARP information is also available
in each FIB. It's assumed that the same machine would have the
same MAC address, regardless of which FIB you are using to get
to it.
This brings us as to how the correct FIB is selected for an outgoing
IPV4 packet.
Firstly, all packets have a FIB associated with them. if nothing
has been done to change it, it will be FIB 0. The FIB is changed
in the following ways.
Packets fall into one of a number of classes.
1/ locally generated packets, coming from a socket/PCB.
Such packets select a FIB from a number associated with the
socket/PCB. This in turn is inherited from the process,
but can be changed by a socket option. The process in turn
inherits it on fork. I have written a utility call setfib
that acts a bit like nice..
setfib -3 ping target.example.com # will use fib 3 for ping.
It is an obvious extension to make it a property of a jail
but I have not done so. It can be achieved by combining the setfib and
jail commands.
2/ packets received on an interface for forwarding.
By default these packets would use table 0,
(or possibly a number settable in a sysctl(not yet)).
but prior to routing the firewall can inspect them (see below).
(possibly in the future you may be able to associate a FIB
with packets received on an interface.. An ifconfig arg, but not yet.)
3/ packets inspected by a packet classifier, which can arbitrarily
associate a fib with it on a packet by packet basis.
A fib assigned to a packet by a packet classifier
(such as ipfw) would over-ride a fib associated by
a more default source. (such as cases 1 or 2).
4/ a tcp listen socket associated with a fib will generate
accept sockets that are associated with that same fib.
5/ Packets generated in response to some other packet (e.g. reset
or icmp packets). These should use the FIB associated with the
packet being reponded to.
6/ Packets generated during encapsulation.
gif, tun and other tunnel interfaces will encapsulate using the FIB
that was in effect withthe proces that set up the tunnel.
thus setfib 1 ifconfig gif0 [tunnel instructions]
will set the fib for the tunnel to use to be fib 1.
Routing messages would be associated with their
process, and thus select one FIB or another.
messages from the kernel would be associated with the fib they
refer to and would only be received by a routing socket associated
with that fib. (not yet implemented)
In addition Netstat has been edited to be able to cope with the
fact that the array is now 2 dimensional. (It looks in system
memory using libkvm (!)). Old versions of netstat see only the first FIB.
In addition two sysctls are added to give:
a) the number of FIBs compiled in (active)
b) the default FIB of the calling process.
Early testing experience:
-------------------------
Basically our (IronPort's) appliance does this functionality already
using ipfw fwd but that method has some drawbacks.
For example,
It can't fully simulate a routing table because it can't influence the
socket's choice of local address when a connect() is done.
Testing during the generating of these changes has been
remarkably smooth so far. Multiple tables have co-existed
with no notable side effects, and packets have been routes
accordingly.
ipfw has grown 2 new keywords:
setfib N ip from anay to any
count ip from any to any fib N
In pf there seems to be a requirement to be able to give symbolic names to the
fibs but I do not have that capacity. I am not sure if it is required.
SCTP has interestingly enough built in support for this, called VRFs
in Cisco parlance. it will be interesting to see how that handles it
when it suddenly actually does something.
Where to next:
--------------------
After committing the ABI compatible version and MFCing it, I'd
like to proceed in a forward direction in -current. this will
result in some roto-tilling in the routing code.
Firstly: the current code's idea of having a separate tree per
protocol family, all of the same format, and pointed to by the
1 dimensional array is a bit silly. Especially when one considers that
there is code that makes assumptions about every protocol having the
same internal structures there. Some protocols don't WANT that
sort of structure. (for example the whole idea of a netmask is foreign
to appletalk). This needs to be made opaque to the external code.
My suggested first change is to add routing method pointers to the
'domain' structure, along with information pointing the data.
instead of having an array of pointers to uniform structures,
there would be an array pointing to the 'domain' structures
for each protocol address domain (protocol family),
and the methods this reached would be called. The methods would have
an argument that gives FIB number, but the protocol would be free
to ignore it.
When the ABI can be changed it raises the possibilty of the
addition of a fib entry into the "struct route". Currently,
the structure contains the sockaddr of the desination, and the resulting
fib entry. To make this work fully, one could add a fib number
so that given an address and a fib, one can find the third element, the
fib entry.
Interaction with the ARP layer/ LL layer would need to be
revisited as well. Qing Li has been working on this already.
This work was sponsored by Ironport Systems/Cisco
Reviewed by: several including rwatson, bz and mlair (parts each)
Obtained from: Ironport systems/Cisco
2008-05-09 23:03:00 +00:00
|
|
|
#include <sys/proc.h>
|
2001-07-02 21:02:09 +00:00
|
|
|
#include <sys/conf.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
#include <machine/cpu.h>
|
|
|
|
|
|
|
|
#include <net/if.h>
|
2013-10-26 17:58:36 +00:00
|
|
|
#include <net/if_var.h>
|
Major overhaul of pseudo-interface cloning. Highlights include:
- Split the code out into if_clone.[ch].
- Locked struct if_clone. [1]
- Add a per-cloner match function rather then simply matching names of
the form <name><unit> and <name>.
- Use the match function to allow creation of <interface>.<tag>
vlan interfaces. The old way is preserved unchanged!
- Also the match function to allow creation of stf(4) interfaces named
stf0, stf, or 6to4. This is the only major user visible change in
that "ifconfig stf" creates the interface stf rather then stf0 and
does not print "stf0" to stdout.
- Allow destroy functions to fail so they can refuse to delete
interfaces. Currently, we forbid the deletion of interfaces which
were created in the init function, particularly lo0, pflog0, and
pfsync0. In the case of lo0 this was a panic implementation so it
does not count as a user visiable change. :-)
- Since most interfaces do not need the new functionality, an family of
wrapper functions, ifc_simple_*(), were created to wrap old style
cloner functions.
- The IF_CLONE_INITIALIZER macro is replaced with a new incompatible
IFC_CLONE_INITIALIZER and ifc_simple consumers use IFC_SIMPLE_DECLARE
instead.
Submitted by: Maurycy Pawlowski-Wieronski <maurycy at fouk.org> [1]
Reviewed by: andre, mlaier
Discussed on: net
2004-06-22 20:13:25 +00:00
|
|
|
#include <net/if_clone.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
#include <net/if_types.h>
|
|
|
|
#include <net/netisr.h>
|
|
|
|
#include <net/route.h>
|
|
|
|
#include <net/bpf.h>
|
2009-08-01 19:26:27 +00:00
|
|
|
#include <net/vnet.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#include <netinet/in_systm.h>
|
|
|
|
#include <netinet/ip.h>
|
2014-10-14 13:31:47 +00:00
|
|
|
#include <netinet/ip_ecn.h>
|
2001-06-11 12:39:29 +00:00
|
|
|
#ifdef INET
|
|
|
|
#include <netinet/in_var.h>
|
2001-07-02 21:02:09 +00:00
|
|
|
#include <netinet/ip_var.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
#endif /* INET */
|
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
#ifndef INET
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#endif
|
|
|
|
#include <netinet6/in6_var.h>
|
|
|
|
#include <netinet/ip6.h>
|
2014-10-14 13:31:47 +00:00
|
|
|
#include <netinet6/ip6_ecn.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
#include <netinet6/ip6_var.h>
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
2000-07-04 16:35:15 +00:00
|
|
|
#include <netinet/ip_encap.h>
|
2005-12-21 21:29:45 +00:00
|
|
|
#include <net/ethernet.h>
|
|
|
|
#include <net/if_bridgevar.h>
|
1999-12-07 17:39:16 +00:00
|
|
|
#include <net/if_gif.h>
|
|
|
|
|
2006-10-22 11:52:19 +00:00
|
|
|
#include <security/mac/mac_framework.h>
|
|
|
|
|
2012-10-16 13:37:54 +00:00
|
|
|
static const char gifname[] = "gif";
|
2001-07-02 21:02:09 +00:00
|
|
|
|
2018-06-05 21:24:59 +00:00
|
|
|
MALLOC_DEFINE(M_GIF, "gif", "Generic Tunnel Interface");
|
2014-10-14 13:31:47 +00:00
|
|
|
static struct sx gif_ioctl_sx;
|
|
|
|
SX_SYSINIT(gif_ioctl_sx, &gif_ioctl_sx, "gif_ioctl");
|
Conditionally compile out V_ globals while instantiating the appropriate
container structures, depending on VIMAGE_GLOBALS compile time option.
Make VIMAGE_GLOBALS a new compile-time option, which by default will not
be defined, resulting in instatiations of global variables selected for
V_irtualization (enclosed in #ifdef VIMAGE_GLOBALS blocks) to be
effectively compiled out. Instantiate new global container structures
to hold V_irtualized variables: vnet_net_0, vnet_inet_0, vnet_inet6_0,
vnet_ipsec_0, vnet_netgraph_0, and vnet_gif_0.
Update the VSYM() macro so that depending on VIMAGE_GLOBALS the V_
macros resolve either to the original globals, or to fields inside
container structures, i.e. effectively
#ifdef VIMAGE_GLOBALS
#define V_rt_tables rt_tables
#else
#define V_rt_tables vnet_net_0._rt_tables
#endif
Update SYSCTL_V_*() macros to operate either on globals or on fields
inside container structs.
Extend the internal kldsym() lookups with the ability to resolve
selected fields inside the virtualization container structs. This
applies only to the fields which are explicitly registered for kldsym()
visibility via VNET_MOD_DECLARE() and vnet_mod_register(), currently
this is done only in sys/net/if.c.
Fix a few broken instances of MODULE_GLOBAL() macro use in SCTP code,
and modify the MODULE_GLOBAL() macro to resolve to V_ macros, which in
turn result in proper code being generated depending on VIMAGE_GLOBALS.
De-virtualize local static variables in sys/contrib/pf/net/pf_subr.c
which were prematurely V_irtualized by automated V_ prepending scripts
during earlier merging steps. PF virtualization will be done
separately, most probably after next PF import.
Convert a few variable initializations at instantiation to
initialization in init functions, most notably in ipfw. Also convert
TUNABLE_INT() initializers for V_ variables to TUNABLE_FETCH_INT() in
initializer functions.
Discussed at: devsummit Strassburg
Reviewed by: bz, julian
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-12-10 23:12:39 +00:00
|
|
|
|
2001-09-26 23:50:17 +00:00
|
|
|
void (*ng_gif_input_p)(struct ifnet *ifp, struct mbuf **mp, int af);
|
|
|
|
void (*ng_gif_input_orphan_p)(struct ifnet *ifp, struct mbuf *m, int af);
|
|
|
|
void (*ng_gif_attach_p)(struct ifnet *ifp);
|
|
|
|
void (*ng_gif_detach_p)(struct ifnet *ifp);
|
|
|
|
|
2020-06-03 13:02:31 +00:00
|
|
|
#ifdef VIMAGE
|
|
|
|
static void gif_reassign(struct ifnet *, struct vnet *, char *);
|
|
|
|
#endif
|
2018-06-05 21:24:59 +00:00
|
|
|
static void gif_delete_tunnel(struct gif_softc *);
|
2014-10-14 13:31:47 +00:00
|
|
|
static int gif_ioctl(struct ifnet *, u_long, caddr_t);
|
|
|
|
static int gif_transmit(struct ifnet *, struct mbuf *);
|
|
|
|
static void gif_qflush(struct ifnet *);
|
2006-07-09 06:04:01 +00:00
|
|
|
static int gif_clone_create(struct if_clone *, int, caddr_t);
|
2004-04-14 00:57:49 +00:00
|
|
|
static void gif_clone_destroy(struct ifnet *);
|
2018-07-24 16:35:52 +00:00
|
|
|
VNET_DEFINE_STATIC(struct if_clone *, gif_cloner);
|
2014-09-21 03:55:04 +00:00
|
|
|
#define V_gif_cloner VNET(gif_cloner)
|
2000-07-04 16:35:15 +00:00
|
|
|
|
2002-02-26 01:56:56 +00:00
|
|
|
SYSCTL_DECL(_net_link);
|
2020-02-26 14:26:36 +00:00
|
|
|
static SYSCTL_NODE(_net_link, IFT_GIF, gif, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
|
2002-02-26 01:56:56 +00:00
|
|
|
"Generic Tunnel Interface");
|
2000-07-04 16:35:15 +00:00
|
|
|
#ifndef MAX_GIF_NEST
|
|
|
|
/*
|
2002-02-26 01:56:56 +00:00
|
|
|
* This macro controls the default upper limitation on nesting of gif tunnels.
|
2000-07-04 16:35:15 +00:00
|
|
|
* Since, setting a large value to this macro with a careless configuration
|
|
|
|
* may introduce system crash, we don't allow any nestings by default.
|
|
|
|
* If you need to configure nested gif tunnels, you can define this macro
|
2002-04-19 04:46:24 +00:00
|
|
|
* in your kernel configuration file. However, if you do so, please be
|
2000-07-04 16:35:15 +00:00
|
|
|
* careful to configure the tunnels so that it won't make a loop.
|
|
|
|
*/
|
|
|
|
#define MAX_GIF_NEST 1
|
|
|
|
#endif
|
2018-07-24 16:35:52 +00:00
|
|
|
VNET_DEFINE_STATIC(int, max_gif_nesting) = MAX_GIF_NEST;
|
Introduce and use a sysinit-based initialization scheme for virtual
network stacks, VNET_SYSINIT:
- Add VNET_SYSINIT and VNET_SYSUNINIT macros to declare events that will
occur each time a network stack is instantiated and destroyed. In the
!VIMAGE case, these are simply mapped into regular SYSINIT/SYSUNINIT.
For the VIMAGE case, we instead use SYSINIT's to track their order and
properties on registration, using them for each vnet when created/
destroyed, or immediately on module load for already-started vnets.
- Remove vnet_modinfo mechanism that existed to serve this purpose
previously, as well as its dependency scheme: we now just use the
SYSINIT ordering scheme.
- Implement VNET_DOMAIN_SET() to allow protocol domains to declare that
they want init functions to be called for each virtual network stack
rather than just once at boot, compiling down to DOMAIN_SET() in the
non-VIMAGE case.
- Walk all virtualized kernel subsystems and make use of these instead
of modinfo or DOMAIN_SET() for init/uninit events. In some cases,
convert modular components from using modevent to using sysinit (where
appropriate). In some cases, do minor rejuggling of SYSINIT ordering
to make room for or better manage events.
Portions submitted by: jhb (VNET_SYSINIT), bz (cleanup)
Discussed with: jhb, bz, julian, zec
Reviewed by: bz
Approved by: re (VIMAGE blanket)
2009-07-23 20:46:49 +00:00
|
|
|
#define V_max_gif_nesting VNET(max_gif_nesting)
|
2014-11-07 09:39:05 +00:00
|
|
|
SYSCTL_INT(_net_link_gif, OID_AUTO, max_nesting, CTLFLAG_VNET | CTLFLAG_RW,
|
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator
(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator. Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...). This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack. Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory. Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy. Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address. When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz
Reviewed by: bz, zec
Discussed with: gnn, jamie, jeff, jhb, julian, sam
Suggested by: peter
Approved by: re (kensmith)
2009-07-14 22:48:30 +00:00
|
|
|
&VNET_NAME(max_gif_nesting), 0, "Max nested tunnels");
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
|
2004-04-14 00:57:49 +00:00
|
|
|
static int
|
2013-11-15 12:12:50 +00:00
|
|
|
gif_clone_create(struct if_clone *ifc, int unit, caddr_t params)
|
1999-12-07 17:39:16 +00:00
|
|
|
{
|
2001-06-11 12:39:29 +00:00
|
|
|
struct gif_softc *sc;
|
1999-12-07 17:39:16 +00:00
|
|
|
|
2004-07-06 03:26:26 +00:00
|
|
|
sc = malloc(sizeof(struct gif_softc), M_GIF, M_WAITOK | M_ZERO);
|
Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)
Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.
From my notes:
-----
One thing where FreeBSD has been falling behind, and which by chance I
have some time to work on is "policy based routing", which allows
different
packet streams to be routed by more than just the destination address.
Constraints:
------------
I want to make some form of this available in the 6.x tree
(and by extension 7.x) , but FreeBSD in general needs it so I might as
well do it in -current and back port the portions I need.
One of the ways that this can be done is to have the ability to
instantiate multiple kernel routing tables (which I will now
refer to as "Forwarding Information Bases" or "FIBs" for political
correctness reasons). Which FIB a particular packet uses to make
the next hop decision can be decided by a number of mechanisms.
The policies these mechanisms implement are the "Policies" referred
to in "Policy based routing".
One of the constraints I have if I try to back port this work to
6.x is that it must be implemented as a EXTENSION to the existing
ABIs in 6.x so that third party applications do not need to be
recompiled in timespan of the branch.
This first version will not have some of the bells and whistles that
will come with later versions. It will, for example, be limited to 16
tables in the first commit.
Implementation method, Compatible version. (part 1)
-------------------------------
For this reason I have implemented a "sufficient subset" of a
multiple routing table solution in Perforce, and back-ported it
to 6.x. (also in Perforce though not always caught up with what I
have done in -current/P4). The subset allows a number of FIBs
to be defined at compile time (8 is sufficient for my purposes in 6.x)
and implements the changes needed to allow IPV4 to use them. I have not
done the changes for ipv6 simply because I do not need it, and I do not
have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.
Other protocol families are left untouched and should there be
users with proprietary protocol families, they should continue to work
and be oblivious to the existence of the extra FIBs.
To understand how this is done, one must know that the current FIB
code starts everything off with a single dimensional array of
pointers to FIB head structures (One per protocol family), each of
which in turn points to the trie of routes available to that family.
The basic change in the ABI compatible version of the change is to
extent that array to be a 2 dimensional array, so that
instead of protocol family X looking at rt_tables[X] for the
table it needs, it looks at rt_tables[Y][X] when for all
protocol families except ipv4 Y is always 0.
Code that is unaware of the change always just sees the first row
of the table, which of course looks just like the one dimensional
array that existed before.
The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
are all maintained, but refer only to the first row of the array,
so that existing callers in proprietary protocols can continue to
do the "right thing".
Some new entry points are added, for the exclusive use of ipv4 code
called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
which have an extra argument which refers the code to the correct row.
In addition, there are some new entry points (currently called
rtalloc_fib() and friends) that check the Address family being
looked up and call either rtalloc() (and friends) if the protocol
is not IPv4 forcing the action to row 0 or to the appropriate row
if it IS IPv4 (and that info is available). These are for calling
from code that is not specific to any particular protocol. The way
these are implemented would change in the non ABI preserving code
to be added later.
One feature of the first version of the code is that for ipv4,
the interface routes show up automatically on all the FIBs, so
that no matter what FIB you select you always have the basic
direct attached hosts available to you. (rtinit() does this
automatically).
You CAN delete an interface route from one FIB should you want
to but by default it's there. ARP information is also available
in each FIB. It's assumed that the same machine would have the
same MAC address, regardless of which FIB you are using to get
to it.
This brings us as to how the correct FIB is selected for an outgoing
IPV4 packet.
Firstly, all packets have a FIB associated with them. if nothing
has been done to change it, it will be FIB 0. The FIB is changed
in the following ways.
Packets fall into one of a number of classes.
1/ locally generated packets, coming from a socket/PCB.
Such packets select a FIB from a number associated with the
socket/PCB. This in turn is inherited from the process,
but can be changed by a socket option. The process in turn
inherits it on fork. I have written a utility call setfib
that acts a bit like nice..
setfib -3 ping target.example.com # will use fib 3 for ping.
It is an obvious extension to make it a property of a jail
but I have not done so. It can be achieved by combining the setfib and
jail commands.
2/ packets received on an interface for forwarding.
By default these packets would use table 0,
(or possibly a number settable in a sysctl(not yet)).
but prior to routing the firewall can inspect them (see below).
(possibly in the future you may be able to associate a FIB
with packets received on an interface.. An ifconfig arg, but not yet.)
3/ packets inspected by a packet classifier, which can arbitrarily
associate a fib with it on a packet by packet basis.
A fib assigned to a packet by a packet classifier
(such as ipfw) would over-ride a fib associated by
a more default source. (such as cases 1 or 2).
4/ a tcp listen socket associated with a fib will generate
accept sockets that are associated with that same fib.
5/ Packets generated in response to some other packet (e.g. reset
or icmp packets). These should use the FIB associated with the
packet being reponded to.
6/ Packets generated during encapsulation.
gif, tun and other tunnel interfaces will encapsulate using the FIB
that was in effect withthe proces that set up the tunnel.
thus setfib 1 ifconfig gif0 [tunnel instructions]
will set the fib for the tunnel to use to be fib 1.
Routing messages would be associated with their
process, and thus select one FIB or another.
messages from the kernel would be associated with the fib they
refer to and would only be received by a routing socket associated
with that fib. (not yet implemented)
In addition Netstat has been edited to be able to cope with the
fact that the array is now 2 dimensional. (It looks in system
memory using libkvm (!)). Old versions of netstat see only the first FIB.
In addition two sysctls are added to give:
a) the number of FIBs compiled in (active)
b) the default FIB of the calling process.
Early testing experience:
-------------------------
Basically our (IronPort's) appliance does this functionality already
using ipfw fwd but that method has some drawbacks.
For example,
It can't fully simulate a routing table because it can't influence the
socket's choice of local address when a connect() is done.
Testing during the generating of these changes has been
remarkably smooth so far. Multiple tables have co-existed
with no notable side effects, and packets have been routes
accordingly.
ipfw has grown 2 new keywords:
setfib N ip from anay to any
count ip from any to any fib N
In pf there seems to be a requirement to be able to give symbolic names to the
fibs but I do not have that capacity. I am not sure if it is required.
SCTP has interestingly enough built in support for this, called VRFs
in Cisco parlance. it will be interesting to see how that handles it
when it suddenly actually does something.
Where to next:
--------------------
After committing the ABI compatible version and MFCing it, I'd
like to proceed in a forward direction in -current. this will
result in some roto-tilling in the routing code.
Firstly: the current code's idea of having a separate tree per
protocol family, all of the same format, and pointed to by the
1 dimensional array is a bit silly. Especially when one considers that
there is code that makes assumptions about every protocol having the
same internal structures there. Some protocols don't WANT that
sort of structure. (for example the whole idea of a netmask is foreign
to appletalk). This needs to be made opaque to the external code.
My suggested first change is to add routing method pointers to the
'domain' structure, along with information pointing the data.
instead of having an array of pointers to uniform structures,
there would be an array pointing to the 'domain' structures
for each protocol address domain (protocol family),
and the methods this reached would be called. The methods would have
an argument that gives FIB number, but the protocol would be free
to ignore it.
When the ABI can be changed it raises the possibilty of the
addition of a fib entry into the "struct route". Currently,
the structure contains the sockaddr of the desination, and the resulting
fib entry. To make this work fully, one could add a fib number
so that given an address and a fib, one can find the third element, the
fib entry.
Interaction with the ARP layer/ LL layer would need to be
revisited as well. Qing Li has been working on this already.
This work was sponsored by Ironport Systems/Cisco
Reviewed by: several including rwatson, bz and mlair (parts each)
Obtained from: Ironport systems/Cisco
2008-05-09 23:03:00 +00:00
|
|
|
sc->gif_fibnum = curthread->td_proc->p_fibnum;
|
2005-06-10 16:49:24 +00:00
|
|
|
GIF2IFP(sc) = if_alloc(IFT_GIF);
|
|
|
|
GIF2IFP(sc)->if_softc = sc;
|
2012-10-16 13:37:54 +00:00
|
|
|
if_initname(GIF2IFP(sc), gifname, unit);
|
2000-07-04 16:35:15 +00:00
|
|
|
|
2005-06-10 16:49:24 +00:00
|
|
|
GIF2IFP(sc)->if_addrlen = 0;
|
|
|
|
GIF2IFP(sc)->if_mtu = GIF_MTU;
|
|
|
|
GIF2IFP(sc)->if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
|
|
|
|
GIF2IFP(sc)->if_ioctl = gif_ioctl;
|
2018-06-05 21:24:59 +00:00
|
|
|
GIF2IFP(sc)->if_transmit = gif_transmit;
|
|
|
|
GIF2IFP(sc)->if_qflush = gif_qflush;
|
2005-06-10 16:49:24 +00:00
|
|
|
GIF2IFP(sc)->if_output = gif_output;
|
2020-06-03 13:02:31 +00:00
|
|
|
#ifdef VIMAGE
|
|
|
|
GIF2IFP(sc)->if_reassign = gif_reassign;
|
|
|
|
#endif
|
2015-10-03 09:15:23 +00:00
|
|
|
GIF2IFP(sc)->if_capabilities |= IFCAP_LINKSTATE;
|
|
|
|
GIF2IFP(sc)->if_capenable |= IFCAP_LINKSTATE;
|
2005-06-10 16:49:24 +00:00
|
|
|
if_attach(GIF2IFP(sc));
|
2005-06-26 18:11:11 +00:00
|
|
|
bpfattach(GIF2IFP(sc), DLT_NULL, sizeof(u_int32_t));
|
2001-09-26 23:50:17 +00:00
|
|
|
if (ng_gif_attach_p != NULL)
|
2005-06-10 16:49:24 +00:00
|
|
|
(*ng_gif_attach_p)(GIF2IFP(sc));
|
2006-01-30 08:39:09 +00:00
|
|
|
|
|
|
|
return (0);
|
2001-07-02 21:02:09 +00:00
|
|
|
}
|
|
|
|
|
2020-06-03 13:02:31 +00:00
|
|
|
#ifdef VIMAGE
|
|
|
|
static void
|
|
|
|
gif_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
|
|
|
|
char *unused __unused)
|
|
|
|
{
|
|
|
|
struct gif_softc *sc;
|
|
|
|
|
|
|
|
sx_xlock(&gif_ioctl_sx);
|
|
|
|
sc = ifp->if_softc;
|
|
|
|
if (sc != NULL)
|
|
|
|
gif_delete_tunnel(sc);
|
|
|
|
sx_xunlock(&gif_ioctl_sx);
|
|
|
|
}
|
|
|
|
#endif /* VIMAGE */
|
|
|
|
|
2004-03-22 15:43:14 +00:00
|
|
|
static void
|
2013-11-15 12:12:50 +00:00
|
|
|
gif_clone_destroy(struct ifnet *ifp)
|
2001-07-02 21:02:09 +00:00
|
|
|
{
|
2014-10-14 13:31:47 +00:00
|
|
|
struct gif_softc *sc;
|
2005-10-12 19:52:16 +00:00
|
|
|
|
2014-10-14 13:31:47 +00:00
|
|
|
sx_xlock(&gif_ioctl_sx);
|
|
|
|
sc = ifp->if_softc;
|
2018-06-05 21:24:59 +00:00
|
|
|
gif_delete_tunnel(sc);
|
2001-09-26 23:50:17 +00:00
|
|
|
if (ng_gif_detach_p != NULL)
|
|
|
|
(*ng_gif_detach_p)(ifp);
|
2001-07-02 21:02:09 +00:00
|
|
|
bpfdetach(ifp);
|
|
|
|
if_detach(ifp);
|
2014-10-14 13:31:47 +00:00
|
|
|
ifp->if_softc = NULL;
|
|
|
|
sx_xunlock(&gif_ioctl_sx);
|
2001-07-02 21:02:09 +00:00
|
|
|
|
2018-06-05 21:24:59 +00:00
|
|
|
GIF_WAIT();
|
2014-10-14 13:31:47 +00:00
|
|
|
if_free(ifp);
|
2001-07-02 21:02:09 +00:00
|
|
|
free(sc, M_GIF);
|
|
|
|
}
|
|
|
|
|
Introduce and use a sysinit-based initialization scheme for virtual
network stacks, VNET_SYSINIT:
- Add VNET_SYSINIT and VNET_SYSUNINIT macros to declare events that will
occur each time a network stack is instantiated and destroyed. In the
!VIMAGE case, these are simply mapped into regular SYSINIT/SYSUNINIT.
For the VIMAGE case, we instead use SYSINIT's to track their order and
properties on registration, using them for each vnet when created/
destroyed, or immediately on module load for already-started vnets.
- Remove vnet_modinfo mechanism that existed to serve this purpose
previously, as well as its dependency scheme: we now just use the
SYSINIT ordering scheme.
- Implement VNET_DOMAIN_SET() to allow protocol domains to declare that
they want init functions to be called for each virtual network stack
rather than just once at boot, compiling down to DOMAIN_SET() in the
non-VIMAGE case.
- Walk all virtualized kernel subsystems and make use of these instead
of modinfo or DOMAIN_SET() for init/uninit events. In some cases,
convert modular components from using modevent to using sysinit (where
appropriate). In some cases, do minor rejuggling of SYSINIT ordering
to make room for or better manage events.
Portions submitted by: jhb (VNET_SYSINIT), bz (cleanup)
Discussed with: jhb, bz, julian, zec
Reviewed by: bz
Approved by: re (VIMAGE blanket)
2009-07-23 20:46:49 +00:00
|
|
|
static void
|
|
|
|
vnet_gif_init(const void *unused __unused)
|
First pass at separating per-vnet initializer functions
from existing functions for initializing global state.
At this stage, the new per-vnet initializer functions are
directly called from the existing global initialization code,
which should in most cases result in compiler inlining those
new functions, hence yielding a near-zero functional change.
Modify the existing initializer functions which are invoked via
protosw, like ip_init() et. al., to allow them to be invoked
multiple times, i.e. per each vnet. Global state, if any,
is initialized only if such functions are called within the
context of vnet0, which will be determined via the
IS_DEFAULT_VNET(curvnet) check (currently always true).
While here, V_irtualize a few remaining global UMA zones
used by net/netinet/netipsec networking code. While it is
not yet clear to me or anybody else whether this is the right
thing to do, at this stage this makes the code more readable,
and makes it easier to track uncollected UMA-zone-backed
objects on vnet removal. In the long run, it's quite possible
that some form of shared use of UMA zone pools among multiple
vnets should be considered.
Bump __FreeBSD_version due to changes in layout of structs
vnet_ipfw, vnet_inet and vnet_net.
Approved by: julian (mentor)
2009-04-06 22:29:41 +00:00
|
|
|
{
|
|
|
|
|
2014-09-21 03:55:04 +00:00
|
|
|
V_gif_cloner = if_clone_simple(gifname, gif_clone_create,
|
|
|
|
gif_clone_destroy, 0);
|
2018-06-05 21:24:59 +00:00
|
|
|
#ifdef INET
|
|
|
|
in_gif_init();
|
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
|
|
|
in6_gif_init();
|
|
|
|
#endif
|
2014-09-21 03:55:04 +00:00
|
|
|
}
|
|
|
|
VNET_SYSINIT(vnet_gif_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
|
|
|
|
vnet_gif_init, NULL);
|
|
|
|
|
|
|
|
static void
|
|
|
|
vnet_gif_uninit(const void *unused __unused)
|
|
|
|
{
|
|
|
|
|
|
|
|
if_clone_detach(V_gif_cloner);
|
2018-06-05 21:24:59 +00:00
|
|
|
#ifdef INET
|
|
|
|
in_gif_uninit();
|
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
|
|
|
in6_gif_uninit();
|
|
|
|
#endif
|
First pass at separating per-vnet initializer functions
from existing functions for initializing global state.
At this stage, the new per-vnet initializer functions are
directly called from the existing global initialization code,
which should in most cases result in compiler inlining those
new functions, hence yielding a near-zero functional change.
Modify the existing initializer functions which are invoked via
protosw, like ip_init() et. al., to allow them to be invoked
multiple times, i.e. per each vnet. Global state, if any,
is initialized only if such functions are called within the
context of vnet0, which will be determined via the
IS_DEFAULT_VNET(curvnet) check (currently always true).
While here, V_irtualize a few remaining global UMA zones
used by net/netinet/netipsec networking code. While it is
not yet clear to me or anybody else whether this is the right
thing to do, at this stage this makes the code more readable,
and makes it easier to track uncollected UMA-zone-backed
objects on vnet removal. In the long run, it's quite possible
that some form of shared use of UMA zone pools among multiple
vnets should be considered.
Bump __FreeBSD_version due to changes in layout of structs
vnet_ipfw, vnet_inet and vnet_net.
Approved by: julian (mentor)
2009-04-06 22:29:41 +00:00
|
|
|
}
|
2014-09-21 03:55:04 +00:00
|
|
|
VNET_SYSUNINIT(vnet_gif_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
|
|
|
|
vnet_gif_uninit, NULL);
|
First pass at separating per-vnet initializer functions
from existing functions for initializing global state.
At this stage, the new per-vnet initializer functions are
directly called from the existing global initialization code,
which should in most cases result in compiler inlining those
new functions, hence yielding a near-zero functional change.
Modify the existing initializer functions which are invoked via
protosw, like ip_init() et. al., to allow them to be invoked
multiple times, i.e. per each vnet. Global state, if any,
is initialized only if such functions are called within the
context of vnet0, which will be determined via the
IS_DEFAULT_VNET(curvnet) check (currently always true).
While here, V_irtualize a few remaining global UMA zones
used by net/netinet/netipsec networking code. While it is
not yet clear to me or anybody else whether this is the right
thing to do, at this stage this makes the code more readable,
and makes it easier to track uncollected UMA-zone-backed
objects on vnet removal. In the long run, it's quite possible
that some form of shared use of UMA zone pools among multiple
vnets should be considered.
Bump __FreeBSD_version due to changes in layout of structs
vnet_ipfw, vnet_inet and vnet_net.
Approved by: julian (mentor)
2009-04-06 22:29:41 +00:00
|
|
|
|
2001-07-02 21:02:09 +00:00
|
|
|
static int
|
2013-11-15 12:12:50 +00:00
|
|
|
gifmodevent(module_t mod, int type, void *data)
|
2001-07-02 21:02:09 +00:00
|
|
|
{
|
|
|
|
|
|
|
|
switch (type) {
|
|
|
|
case MOD_LOAD:
|
|
|
|
case MOD_UNLOAD:
|
|
|
|
break;
|
2004-07-15 08:26:07 +00:00
|
|
|
default:
|
2014-09-21 03:55:04 +00:00
|
|
|
return (EOPNOTSUPP);
|
1999-12-07 17:39:16 +00:00
|
|
|
}
|
2014-09-21 03:55:04 +00:00
|
|
|
return (0);
|
1999-12-07 17:39:16 +00:00
|
|
|
}
|
|
|
|
|
2001-07-02 21:02:09 +00:00
|
|
|
static moduledata_t gif_mod = {
|
|
|
|
"if_gif",
|
|
|
|
gifmodevent,
|
2012-10-10 08:36:38 +00:00
|
|
|
0
|
2001-07-02 21:02:09 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
DECLARE_MODULE(if_gif, gif_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
|
2001-09-26 23:37:15 +00:00
|
|
|
MODULE_VERSION(if_gif, 1);
|
1999-12-07 17:39:16 +00:00
|
|
|
|
2018-06-05 21:24:59 +00:00
|
|
|
struct gif_list *
|
|
|
|
gif_hashinit(void)
|
2000-07-04 16:35:15 +00:00
|
|
|
{
|
2018-06-05 21:24:59 +00:00
|
|
|
struct gif_list *hash;
|
|
|
|
int i;
|
2000-07-04 16:35:15 +00:00
|
|
|
|
2018-06-05 21:24:59 +00:00
|
|
|
hash = malloc(sizeof(struct gif_list) * GIF_HASH_SIZE,
|
|
|
|
M_GIF, M_WAITOK);
|
|
|
|
for (i = 0; i < GIF_HASH_SIZE; i++)
|
|
|
|
CK_LIST_INIT(&hash[i]);
|
2000-07-04 16:35:15 +00:00
|
|
|
|
2018-06-05 21:24:59 +00:00
|
|
|
return (hash);
|
|
|
|
}
|
2000-07-04 16:35:15 +00:00
|
|
|
|
2018-06-05 21:24:59 +00:00
|
|
|
void
|
|
|
|
gif_hashdestroy(struct gif_list *hash)
|
|
|
|
{
|
2000-07-04 16:35:15 +00:00
|
|
|
|
2018-06-05 21:24:59 +00:00
|
|
|
free(hash, M_GIF);
|
2000-07-04 16:35:15 +00:00
|
|
|
}
|
2014-10-14 13:31:47 +00:00
|
|
|
|
2018-07-09 11:03:28 +00:00
|
|
|
#define MTAG_GIF 1080679712
|
2014-10-14 13:31:47 +00:00
|
|
|
static int
|
|
|
|
gif_transmit(struct ifnet *ifp, struct mbuf *m)
|
|
|
|
{
|
|
|
|
struct gif_softc *sc;
|
|
|
|
struct etherip_header *eth;
|
2012-06-12 10:44:09 +00:00
|
|
|
#ifdef INET
|
2014-10-14 13:31:47 +00:00
|
|
|
struct ip *ip;
|
2012-06-12 10:44:09 +00:00
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
2014-10-14 13:31:47 +00:00
|
|
|
struct ip6_hdr *ip6;
|
|
|
|
uint32_t t;
|
2012-06-12 10:44:09 +00:00
|
|
|
#endif
|
|
|
|
uint32_t af;
|
2014-10-14 13:31:47 +00:00
|
|
|
uint8_t proto, ecn;
|
|
|
|
int error;
|
2005-12-21 21:29:45 +00:00
|
|
|
|
2020-01-15 06:18:32 +00:00
|
|
|
NET_EPOCH_ASSERT();
|
2015-01-10 08:28:50 +00:00
|
|
|
#ifdef MAC
|
|
|
|
error = mac_ifnet_check_transmit(ifp, m);
|
|
|
|
if (error) {
|
|
|
|
m_freem(m);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
#endif
|
2014-10-14 13:31:47 +00:00
|
|
|
error = ENETDOWN;
|
2005-12-21 21:29:45 +00:00
|
|
|
sc = ifp->if_softc;
|
2015-01-10 08:28:50 +00:00
|
|
|
if ((ifp->if_flags & IFF_MONITOR) != 0 ||
|
|
|
|
(ifp->if_flags & IFF_UP) == 0 ||
|
2018-10-21 18:06:15 +00:00
|
|
|
(ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
|
2015-01-10 08:28:50 +00:00
|
|
|
sc->gif_family == 0 ||
|
2018-07-09 11:03:28 +00:00
|
|
|
(error = if_tunnel_check_nesting(ifp, m, MTAG_GIF,
|
|
|
|
V_max_gif_nesting)) != 0) {
|
2014-10-14 13:31:47 +00:00
|
|
|
m_freem(m);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
/* Now pull back the af that we stashed in the csum_data. */
|
2015-01-10 08:28:50 +00:00
|
|
|
if (ifp->if_bridge)
|
|
|
|
af = AF_LINK;
|
|
|
|
else
|
|
|
|
af = m->m_pkthdr.csum_data;
|
|
|
|
m->m_flags &= ~(M_BCAST|M_MCAST);
|
|
|
|
M_SETFIB(m, sc->gif_fibnum);
|
2014-10-14 13:31:47 +00:00
|
|
|
BPF_MTAP2(ifp, &af, sizeof(af), m);
|
|
|
|
if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
|
|
|
|
if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len);
|
|
|
|
/* inner AF-specific encapsulation */
|
|
|
|
ecn = 0;
|
|
|
|
switch (af) {
|
2012-06-12 10:44:09 +00:00
|
|
|
#ifdef INET
|
2014-10-14 13:31:47 +00:00
|
|
|
case AF_INET:
|
|
|
|
proto = IPPROTO_IPV4;
|
|
|
|
if (m->m_len < sizeof(struct ip))
|
|
|
|
m = m_pullup(m, sizeof(struct ip));
|
|
|
|
if (m == NULL) {
|
|
|
|
error = ENOBUFS;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
ip = mtod(m, struct ip *);
|
|
|
|
ip_ecn_ingress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED:
|
|
|
|
ECN_NOCARE, &ecn, &ip->ip_tos);
|
|
|
|
break;
|
2012-06-12 10:44:09 +00:00
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
2014-10-14 13:31:47 +00:00
|
|
|
case AF_INET6:
|
|
|
|
proto = IPPROTO_IPV6;
|
|
|
|
if (m->m_len < sizeof(struct ip6_hdr))
|
|
|
|
m = m_pullup(m, sizeof(struct ip6_hdr));
|
|
|
|
if (m == NULL) {
|
|
|
|
error = ENOBUFS;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
t = 0;
|
|
|
|
ip6 = mtod(m, struct ip6_hdr *);
|
|
|
|
ip6_ecn_ingress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED:
|
|
|
|
ECN_NOCARE, &t, &ip6->ip6_flow);
|
|
|
|
ecn = (ntohl(t) >> 20) & 0xff;
|
|
|
|
break;
|
2012-06-12 10:44:09 +00:00
|
|
|
#endif
|
2014-10-14 13:31:47 +00:00
|
|
|
case AF_LINK:
|
|
|
|
proto = IPPROTO_ETHERIP;
|
|
|
|
M_PREPEND(m, sizeof(struct etherip_header), M_NOWAIT);
|
|
|
|
if (m == NULL) {
|
|
|
|
error = ENOBUFS;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
eth = mtod(m, struct etherip_header *);
|
|
|
|
eth->eip_resvh = 0;
|
2015-09-10 05:59:39 +00:00
|
|
|
eth->eip_ver = ETHERIP_VERSION;
|
|
|
|
eth->eip_resvl = 0;
|
2014-10-14 13:31:47 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
error = EAFNOSUPPORT;
|
|
|
|
m_freem(m);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
/* XXX should we check if our outer source is legal? */
|
|
|
|
/* dispatch to output logic based on outer AF */
|
|
|
|
switch (sc->gif_family) {
|
2012-06-12 10:44:09 +00:00
|
|
|
#ifdef INET
|
2014-10-14 13:31:47 +00:00
|
|
|
case AF_INET:
|
|
|
|
error = in_gif_output(ifp, m, proto, ecn);
|
|
|
|
break;
|
2012-06-12 10:44:09 +00:00
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
2014-10-14 13:31:47 +00:00
|
|
|
case AF_INET6:
|
|
|
|
error = in6_gif_output(ifp, m, proto, ecn);
|
|
|
|
break;
|
2012-06-12 10:44:09 +00:00
|
|
|
#endif
|
2014-10-14 13:31:47 +00:00
|
|
|
default:
|
|
|
|
m_freem(m);
|
2005-12-21 21:29:45 +00:00
|
|
|
}
|
2014-10-14 13:31:47 +00:00
|
|
|
err:
|
|
|
|
if (error)
|
|
|
|
if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
gif_qflush(struct ifnet *ifp __unused)
|
|
|
|
{
|
|
|
|
|
2005-12-21 21:29:45 +00:00
|
|
|
}
|
|
|
|
|
2015-01-10 03:13:16 +00:00
|
|
|
int
|
|
|
|
gif_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
|
|
|
|
struct route *ro)
|
|
|
|
{
|
|
|
|
uint32_t af;
|
2000-07-04 16:35:15 +00:00
|
|
|
|
2013-04-26 12:50:32 +00:00
|
|
|
if (dst->sa_family == AF_UNSPEC)
|
2005-06-26 18:11:11 +00:00
|
|
|
bcopy(dst->sa_data, &af, sizeof(af));
|
2013-04-26 12:50:32 +00:00
|
|
|
else
|
|
|
|
af = dst->sa_family;
|
2012-06-12 13:31:32 +00:00
|
|
|
/*
|
2014-10-14 13:31:47 +00:00
|
|
|
* Now save the af in the inbound pkt csum data, this is a cheat since
|
|
|
|
* we are using the inbound csum_data field to carry the af over to
|
|
|
|
* the gif_transmit() routine, avoiding using yet another mtag.
|
2012-06-12 10:44:09 +00:00
|
|
|
*/
|
2014-10-14 13:31:47 +00:00
|
|
|
m->m_pkthdr.csum_data = af;
|
|
|
|
return (ifp->if_transmit(ifp, m));
|
1999-12-07 17:39:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2014-10-14 13:31:47 +00:00
|
|
|
gif_input(struct mbuf *m, struct ifnet *ifp, int proto, uint8_t ecn)
|
1999-12-07 17:39:16 +00:00
|
|
|
{
|
2005-12-21 21:29:45 +00:00
|
|
|
struct etherip_header *eip;
|
2014-10-14 13:31:47 +00:00
|
|
|
#ifdef INET
|
|
|
|
struct ip *ip;
|
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
|
|
|
struct ip6_hdr *ip6;
|
|
|
|
uint32_t t;
|
|
|
|
#endif
|
2008-03-06 19:02:37 +00:00
|
|
|
struct ether_header *eh;
|
|
|
|
struct ifnet *oldifp;
|
2014-10-14 13:31:47 +00:00
|
|
|
int isr, n, af;
|
1999-12-07 17:39:16 +00:00
|
|
|
|
Widen NET_EPOCH coverage.
When epoch(9) was introduced to network stack, it was basically
dropped in place of existing locking, which was mutexes and
rwlocks. For the sake of performance mutex covered areas were
as small as possible, so became epoch covered areas.
However, epoch doesn't introduce any contention, it just delays
memory reclaim. So, there is no point to minimise epoch covered
areas in sense of performance. Meanwhile entering/exiting epoch
also has non-zero CPU usage, so doing this less often is a win.
Not the least is also code maintainability. In the new paradigm
we can assume that at any stage of processing a packet, we are
inside network epoch. This makes coding both input and output
path way easier.
On output path we already enter epoch quite early - in the
ip_output(), in the ip6_output().
This patch does the same for the input path. All ISR processing,
network related callouts, other ways of packet injection to the
network stack shall be performed in net_epoch. Any leaf function
that walks network configuration now asserts epoch.
Tricky part is configuration code paths - ioctls, sysctls. They
also call into leaf functions, so some need to be changed.
This patch would introduce more epoch recursions (see EPOCH_TRACE)
than we had before. They will be cleaned up separately, as several
of them aren't trivial. Note, that unlike a lock recursion the
epoch recursion is safe and just wastes a bit of resources.
Reviewed by: gallatin, hselasky, cy, adrian, kristof
Differential Revision: https://reviews.freebsd.org/D19111
2019-10-07 22:40:05 +00:00
|
|
|
NET_EPOCH_ASSERT();
|
|
|
|
|
2002-10-17 17:39:56 +00:00
|
|
|
if (ifp == NULL) {
|
1999-12-07 17:39:16 +00:00
|
|
|
/* just in case */
|
|
|
|
m_freem(m);
|
|
|
|
return;
|
|
|
|
}
|
2002-10-17 17:39:56 +00:00
|
|
|
m->m_pkthdr.rcvif = ifp;
|
2014-10-08 21:23:34 +00:00
|
|
|
m_clrprotoflags(m);
|
2014-10-14 13:31:47 +00:00
|
|
|
switch (proto) {
|
|
|
|
#ifdef INET
|
|
|
|
case IPPROTO_IPV4:
|
|
|
|
af = AF_INET;
|
|
|
|
if (m->m_len < sizeof(struct ip))
|
|
|
|
m = m_pullup(m, sizeof(struct ip));
|
|
|
|
if (m == NULL)
|
|
|
|
goto drop;
|
|
|
|
ip = mtod(m, struct ip *);
|
|
|
|
if (ip_ecn_egress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED:
|
|
|
|
ECN_NOCARE, &ecn, &ip->ip_tos) == 0) {
|
|
|
|
m_freem(m);
|
|
|
|
goto drop;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
|
|
|
case IPPROTO_IPV6:
|
|
|
|
af = AF_INET6;
|
|
|
|
if (m->m_len < sizeof(struct ip6_hdr))
|
|
|
|
m = m_pullup(m, sizeof(struct ip6_hdr));
|
|
|
|
if (m == NULL)
|
|
|
|
goto drop;
|
|
|
|
t = htonl((uint32_t)ecn << 20);
|
|
|
|
ip6 = mtod(m, struct ip6_hdr *);
|
|
|
|
if (ip6_ecn_egress((ifp->if_flags & IFF_LINK1) ? ECN_ALLOWED:
|
|
|
|
ECN_NOCARE, &t, &ip6->ip6_flow) == 0) {
|
|
|
|
m_freem(m);
|
|
|
|
goto drop;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
case IPPROTO_ETHERIP:
|
|
|
|
af = AF_LINK;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
m_freem(m);
|
|
|
|
goto drop;
|
|
|
|
}
|
2002-08-01 21:00:05 +00:00
|
|
|
|
|
|
|
#ifdef MAC
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_ifnet_create_mbuf(ifp, m);
|
2002-08-01 21:00:05 +00:00
|
|
|
#endif
|
|
|
|
|
2006-06-02 19:59:33 +00:00
|
|
|
if (bpf_peers_present(ifp->if_bpf)) {
|
2014-10-14 13:31:47 +00:00
|
|
|
uint32_t af1 = af;
|
2003-12-28 03:56:00 +00:00
|
|
|
bpf_mtap2(ifp->if_bpf, &af1, sizeof(af1), m);
|
1999-12-07 17:39:16 +00:00
|
|
|
}
|
|
|
|
|
2013-07-12 12:18:07 +00:00
|
|
|
if ((ifp->if_flags & IFF_MONITOR) != 0) {
|
2014-09-19 10:39:58 +00:00
|
|
|
if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
|
|
|
|
if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
|
2013-07-12 12:18:07 +00:00
|
|
|
m_freem(m);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2001-09-26 23:50:17 +00:00
|
|
|
if (ng_gif_input_p != NULL) {
|
2002-10-17 17:39:56 +00:00
|
|
|
(*ng_gif_input_p)(ifp, &m, af);
|
2001-09-26 23:50:17 +00:00
|
|
|
if (m == NULL)
|
2014-10-14 13:31:47 +00:00
|
|
|
goto drop;
|
2001-09-26 23:50:17 +00:00
|
|
|
}
|
|
|
|
|
1999-12-07 17:39:16 +00:00
|
|
|
/*
|
|
|
|
* Put the packet to the network layer input queue according to the
|
|
|
|
* specified address family.
|
|
|
|
* Note: older versions of gif_input directly called network layer
|
2002-04-19 04:46:24 +00:00
|
|
|
* input functions, e.g. ip6_input, here. We changed the policy to
|
1999-12-07 17:39:16 +00:00
|
|
|
* prevent too many recursive calls of such input functions, which
|
2002-04-19 04:46:24 +00:00
|
|
|
* might cause kernel panic. But the change may introduce another
|
1999-12-07 17:39:16 +00:00
|
|
|
* problem; if the input queue is full, packets are discarded.
|
2002-04-19 04:46:24 +00:00
|
|
|
* The kernel stack overflow really happened, and we believed
|
|
|
|
* queue-full rarely occurs, so we changed the policy.
|
1999-12-07 17:39:16 +00:00
|
|
|
*/
|
|
|
|
switch (af) {
|
|
|
|
#ifdef INET
|
|
|
|
case AF_INET:
|
|
|
|
isr = NETISR_IP;
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
|
|
|
case AF_INET6:
|
|
|
|
isr = NETISR_IPV6;
|
|
|
|
break;
|
|
|
|
#endif
|
2005-12-21 21:29:45 +00:00
|
|
|
case AF_LINK:
|
2018-06-05 21:24:59 +00:00
|
|
|
n = sizeof(struct etherip_header) +
|
|
|
|
sizeof(struct ether_header);
|
2014-10-14 13:31:47 +00:00
|
|
|
if (n > m->m_len)
|
2005-12-21 21:29:45 +00:00
|
|
|
m = m_pullup(m, n);
|
2014-10-14 13:31:47 +00:00
|
|
|
if (m == NULL)
|
|
|
|
goto drop;
|
2005-12-21 21:29:45 +00:00
|
|
|
eip = mtod(m, struct etherip_header *);
|
2014-10-14 13:31:47 +00:00
|
|
|
if (eip->eip_ver != ETHERIP_VERSION) {
|
2015-09-10 05:59:39 +00:00
|
|
|
/* discard unknown versions */
|
|
|
|
m_freem(m);
|
|
|
|
goto drop;
|
2005-12-21 21:29:45 +00:00
|
|
|
}
|
|
|
|
m_adj(m, sizeof(struct etherip_header));
|
|
|
|
|
|
|
|
m->m_flags &= ~(M_BCAST|M_MCAST);
|
|
|
|
m->m_pkthdr.rcvif = ifp;
|
|
|
|
|
2008-03-06 19:02:37 +00:00
|
|
|
if (ifp->if_bridge) {
|
|
|
|
oldifp = ifp;
|
|
|
|
eh = mtod(m, struct ether_header *);
|
|
|
|
if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
|
|
|
|
if (ETHER_IS_BROADCAST(eh->ether_dhost))
|
|
|
|
m->m_flags |= M_BCAST;
|
|
|
|
else
|
|
|
|
m->m_flags |= M_MCAST;
|
2014-09-19 10:39:58 +00:00
|
|
|
if_inc_counter(ifp, IFCOUNTER_IMCASTS, 1);
|
2008-03-06 19:02:37 +00:00
|
|
|
}
|
2005-12-21 21:29:45 +00:00
|
|
|
BRIDGE_INPUT(ifp, m);
|
2008-03-06 19:02:37 +00:00
|
|
|
|
|
|
|
if (m != NULL && ifp != oldifp) {
|
|
|
|
/*
|
|
|
|
* The bridge gave us back itself or one of the
|
|
|
|
* members for which the frame is addressed.
|
|
|
|
*/
|
|
|
|
ether_demux(ifp, m);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
2005-12-21 21:29:45 +00:00
|
|
|
if (m != NULL)
|
|
|
|
m_freem(m);
|
|
|
|
return;
|
|
|
|
|
1999-12-07 17:39:16 +00:00
|
|
|
default:
|
2001-09-26 23:50:17 +00:00
|
|
|
if (ng_gif_input_orphan_p != NULL)
|
2002-10-17 17:39:56 +00:00
|
|
|
(*ng_gif_input_orphan_p)(ifp, m, af);
|
2001-09-26 23:50:17 +00:00
|
|
|
else
|
|
|
|
m_freem(m);
|
1999-12-07 17:39:16 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2014-09-19 10:39:58 +00:00
|
|
|
if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
|
|
|
|
if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
|
2011-07-03 16:08:38 +00:00
|
|
|
M_SETFIB(m, ifp->if_fib);
|
2003-03-04 23:19:55 +00:00
|
|
|
netisr_dispatch(isr, m);
|
2014-10-14 13:31:47 +00:00
|
|
|
return;
|
|
|
|
drop:
|
|
|
|
if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
|
1999-12-07 17:39:16 +00:00
|
|
|
}
|
|
|
|
|
2018-06-05 21:24:59 +00:00
|
|
|
static int
|
2013-11-15 12:12:50 +00:00
|
|
|
gif_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
|
1999-12-07 17:39:16 +00:00
|
|
|
{
|
2014-10-14 13:31:47 +00:00
|
|
|
struct ifreq *ifr = (struct ifreq*)data;
|
|
|
|
struct gif_softc *sc;
|
|
|
|
u_int options;
|
|
|
|
int error;
|
2002-10-17 17:42:46 +00:00
|
|
|
|
1999-12-07 17:39:16 +00:00
|
|
|
switch (cmd) {
|
|
|
|
case SIOCSIFADDR:
|
2002-10-16 19:49:37 +00:00
|
|
|
ifp->if_flags |= IFF_UP;
|
1999-12-07 17:39:16 +00:00
|
|
|
case SIOCADDMULTI:
|
|
|
|
case SIOCDELMULTI:
|
|
|
|
case SIOCGIFMTU:
|
2014-10-14 13:31:47 +00:00
|
|
|
case SIOCSIFFLAGS:
|
|
|
|
return (0);
|
1999-12-07 17:39:16 +00:00
|
|
|
case SIOCSIFMTU:
|
2014-10-14 13:31:47 +00:00
|
|
|
if (ifr->ifr_mtu < GIF_MTU_MIN ||
|
|
|
|
ifr->ifr_mtu > GIF_MTU_MAX)
|
2002-10-17 17:42:46 +00:00
|
|
|
return (EINVAL);
|
2014-10-14 13:31:47 +00:00
|
|
|
else
|
|
|
|
ifp->if_mtu = ifr->ifr_mtu;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
sx_xlock(&gif_ioctl_sx);
|
|
|
|
sc = ifp->if_softc;
|
|
|
|
if (sc == NULL) {
|
|
|
|
error = ENXIO;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
error = 0;
|
|
|
|
switch (cmd) {
|
2000-07-04 16:35:15 +00:00
|
|
|
case SIOCDIFPHYADDR:
|
2018-06-05 21:24:59 +00:00
|
|
|
if (sc->gif_family == 0)
|
|
|
|
break;
|
|
|
|
gif_delete_tunnel(sc);
|
2000-07-04 16:35:15 +00:00
|
|
|
break;
|
2018-06-05 21:24:59 +00:00
|
|
|
#ifdef INET
|
|
|
|
case SIOCSIFPHYADDR:
|
1999-12-07 17:39:16 +00:00
|
|
|
case SIOCGIFPSRCADDR:
|
2014-10-14 13:31:47 +00:00
|
|
|
case SIOCGIFPDSTADDR:
|
2018-06-05 21:24:59 +00:00
|
|
|
error = in_gif_ioctl(sc, cmd, data);
|
|
|
|
break;
|
|
|
|
#endif
|
2014-10-14 14:51:27 +00:00
|
|
|
#ifdef INET6
|
2018-06-05 21:24:59 +00:00
|
|
|
case SIOCSIFPHYADDR_IN6:
|
1999-12-07 17:39:16 +00:00
|
|
|
case SIOCGIFPSRCADDR_IN6:
|
2014-10-14 13:31:47 +00:00
|
|
|
case SIOCGIFPDSTADDR_IN6:
|
2018-06-05 21:24:59 +00:00
|
|
|
error = in6_gif_ioctl(sc, cmd, data);
|
2001-06-11 12:39:29 +00:00
|
|
|
break;
|
2018-06-05 21:24:59 +00:00
|
|
|
#endif
|
2015-05-12 07:37:27 +00:00
|
|
|
case SIOCGTUNFIB:
|
|
|
|
ifr->ifr_fib = sc->gif_fibnum;
|
|
|
|
break;
|
|
|
|
case SIOCSTUNFIB:
|
|
|
|
if ((error = priv_check(curthread, PRIV_NET_GIF)) != 0)
|
|
|
|
break;
|
|
|
|
if (ifr->ifr_fib >= rt_numfibs)
|
|
|
|
error = EINVAL;
|
|
|
|
else
|
|
|
|
sc->gif_fibnum = ifr->ifr_fib;
|
|
|
|
break;
|
Fix and add a workaround on an issue of EtherIP packet with reversed
version field sent via gif(4)+if_bridge(4). The EtherIP
implementation found on FreeBSD 6.1, 6.2, 6.3, 7.0, 7.1, and 7.2 had
an interoperability issue because it sent the incorrect EtherIP
packets and discarded the correct ones.
This change introduces the following two flags to gif(4):
accept_rev_ethip_ver: accepts both correct EtherIP packets and ones
with reversed version field, if enabled. If disabled, the gif
accepts the correct packets only. This flag is enabled by
default.
send_rev_ethip_ver: sends EtherIP packets with reversed version field
intentionally, if enabled. If disabled, the gif sends the correct
packets only. This flag is disabled by default.
These flags are stored in struct gif_softc and can be set by
ifconfig(8) on per-interface basis.
Note that this is an incompatible change of EtherIP with the older
FreeBSD releases. If you need to interoperate older FreeBSD boxes and
new versions after this commit, setting "send_rev_ethip_ver" is
needed.
Reviewed by: thompsa and rwatson
Spotted by: Shunsuke SHINOMIYA
PR: kern/125003
MFC after: 2 weeks
2009-06-07 23:00:40 +00:00
|
|
|
case GIFGOPTS:
|
|
|
|
options = sc->gif_options;
|
2018-03-30 18:50:13 +00:00
|
|
|
error = copyout(&options, ifr_data_get_ptr(ifr),
|
|
|
|
sizeof(options));
|
Fix and add a workaround on an issue of EtherIP packet with reversed
version field sent via gif(4)+if_bridge(4). The EtherIP
implementation found on FreeBSD 6.1, 6.2, 6.3, 7.0, 7.1, and 7.2 had
an interoperability issue because it sent the incorrect EtherIP
packets and discarded the correct ones.
This change introduces the following two flags to gif(4):
accept_rev_ethip_ver: accepts both correct EtherIP packets and ones
with reversed version field, if enabled. If disabled, the gif
accepts the correct packets only. This flag is enabled by
default.
send_rev_ethip_ver: sends EtherIP packets with reversed version field
intentionally, if enabled. If disabled, the gif sends the correct
packets only. This flag is disabled by default.
These flags are stored in struct gif_softc and can be set by
ifconfig(8) on per-interface basis.
Note that this is an incompatible change of EtherIP with the older
FreeBSD releases. If you need to interoperate older FreeBSD boxes and
new versions after this commit, setting "send_rev_ethip_ver" is
needed.
Reviewed by: thompsa and rwatson
Spotted by: Shunsuke SHINOMIYA
PR: kern/125003
MFC after: 2 weeks
2009-06-07 23:00:40 +00:00
|
|
|
break;
|
|
|
|
case GIFSOPTS:
|
|
|
|
if ((error = priv_check(curthread, PRIV_NET_GIF)) != 0)
|
|
|
|
break;
|
2018-03-30 18:50:13 +00:00
|
|
|
error = copyin(ifr_data_get_ptr(ifr), &options,
|
|
|
|
sizeof(options));
|
2009-06-09 08:09:30 +00:00
|
|
|
if (error)
|
|
|
|
break;
|
2018-06-05 21:24:59 +00:00
|
|
|
if (options & ~GIF_OPTMASK) {
|
2009-06-09 08:09:30 +00:00
|
|
|
error = EINVAL;
|
Rework IP encapsulation handling code.
Currently it has several disadvantages:
- it uses single mutex to protect internal structures. It is used by
data- and control- path, thus there are no parallelism at all.
- it uses single list to keep encap handlers for both INET and INET6
families.
- struct encaptab keeps unneeded information (src, dst, masks, protosw),
that isn't used by code in the source tree.
- matches are prioritized and when many tunneling interfaces are
registered, encapcheck handler of each interface is invoked for each
packet. The search takes O(n) for n interfaces. All this work is done
with exclusive lock held.
What this patch includes:
- the datapath is converted to be lockless using epoch(9) KPI.
- struct encaptab now linked using CK_LIST.
- all unused fields removed from struct encaptab. Several new fields
addedr: min_length is the minimum packet length, that encapsulation
handler expects to see; exact_match is maximum number of bits, that
can return an encapsulation handler, when it wants to consume a packet.
- IPv6 and IPv4 handlers are stored in separate lists;
- added new "encap_lookup_t" method, that will be used later. It is
targeted to speedup lookup of needed interface, when gif(4)/gre(4) have
many interfaces.
- the need to use protosw structure is eliminated. The only pr_input
method was used from this structure, so I don't see the need to keep
using it.
- encap_input_t method changed to avoid using mbuf tags to store softc
pointer. Now it is passed directly trough encap_input_t method.
encap_getarg() funtions is removed.
- all sockaddr structures and code that uses them removed. We don't have
any code in the tree that uses them. All consumers use encap_attach_func()
method, that relies on invoking of encapcheck() to determine the needed
handler.
- introduced struct encap_config, it contains parameters of encap handler
that is going to be registered by encap_attach() function.
- encap handlers are stored in lists ordered by exact_match value, thus
handlers that need more bits to match will be checked first, and if
encapcheck method returns exact_match value, the search will be stopped.
- all current consumers changed to use new KPI.
Reviewed by: mmacy
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D15617
2018-06-05 20:51:01 +00:00
|
|
|
break;
|
|
|
|
}
|
2018-06-05 21:24:59 +00:00
|
|
|
if (sc->gif_options != options) {
|
|
|
|
switch (sc->gif_family) {
|
2014-10-14 13:31:47 +00:00
|
|
|
#ifdef INET
|
2018-06-05 21:24:59 +00:00
|
|
|
case AF_INET:
|
|
|
|
error = in_gif_setopts(sc, options);
|
|
|
|
break;
|
2014-10-14 13:31:47 +00:00
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
2018-06-05 21:24:59 +00:00
|
|
|
case AF_INET6:
|
|
|
|
error = in6_gif_setopts(sc, options);
|
|
|
|
break;
|
2002-10-16 19:49:37 +00:00
|
|
|
#endif
|
2018-06-05 21:24:59 +00:00
|
|
|
default:
|
|
|
|
/* No need to invoke AF-handler */
|
|
|
|
sc->gif_options = options;
|
2014-10-14 13:31:47 +00:00
|
|
|
}
|
2002-10-16 19:49:37 +00:00
|
|
|
}
|
2018-06-05 21:24:59 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
error = EINVAL;
|
|
|
|
break;
|
2014-10-14 13:31:47 +00:00
|
|
|
}
|
2018-06-05 21:24:59 +00:00
|
|
|
if (error == 0 && sc->gif_family != 0) {
|
|
|
|
if (
|
2002-10-16 19:49:37 +00:00
|
|
|
#ifdef INET
|
2018-06-05 21:24:59 +00:00
|
|
|
cmd == SIOCSIFPHYADDR ||
|
2002-10-16 19:49:37 +00:00
|
|
|
#endif
|
|
|
|
#ifdef INET6
|
2018-06-05 21:24:59 +00:00
|
|
|
cmd == SIOCSIFPHYADDR_IN6 ||
|
2002-10-16 19:49:37 +00:00
|
|
|
#endif
|
2018-06-05 21:24:59 +00:00
|
|
|
0) {
|
|
|
|
if_link_state_change(ifp, LINK_STATE_UP);
|
|
|
|
}
|
2016-04-10 23:07:00 +00:00
|
|
|
}
|
2014-10-14 13:31:47 +00:00
|
|
|
bad:
|
2018-06-05 21:24:59 +00:00
|
|
|
sx_xunlock(&gif_ioctl_sx);
|
2014-10-14 13:31:47 +00:00
|
|
|
return (error);
|
2002-10-16 19:49:37 +00:00
|
|
|
}
|
|
|
|
|
2014-10-14 13:31:47 +00:00
|
|
|
static void
|
2018-06-05 21:24:59 +00:00
|
|
|
gif_delete_tunnel(struct gif_softc *sc)
|
2001-07-02 21:02:09 +00:00
|
|
|
{
|
|
|
|
|
2018-06-05 21:24:59 +00:00
|
|
|
sx_assert(&gif_ioctl_sx, SA_XLOCKED);
|
|
|
|
if (sc->gif_family != 0) {
|
2018-10-21 18:06:15 +00:00
|
|
|
CK_LIST_REMOVE(sc, srchash);
|
2018-06-05 21:24:59 +00:00
|
|
|
CK_LIST_REMOVE(sc, chain);
|
|
|
|
/* Wait until it become safe to free gif_hdr */
|
|
|
|
GIF_WAIT();
|
2014-10-14 13:31:47 +00:00
|
|
|
free(sc->gif_hdr, M_GIF);
|
2001-07-02 21:02:09 +00:00
|
|
|
}
|
2018-06-05 21:24:59 +00:00
|
|
|
sc->gif_family = 0;
|
|
|
|
GIF2IFP(sc)->if_drv_flags &= ~IFF_DRV_RUNNING;
|
|
|
|
if_link_state_change(GIF2IFP(sc), LINK_STATE_DOWN);
|
2001-07-02 21:02:09 +00:00
|
|
|
}
|