Commit Graph

170 Commits

Author SHA1 Message Date
Gleb Smirnoff
2b9536028f Don't check malloc(M_WAITOK) results. 2012-03-31 11:20:48 +00:00
Alexander V. Chernikov
732d27b32d - Permit number of ipfw tables to be changed in runtime.
net.inet.ip.fw.tables_max is now read-write.

- Bump IPFW_TABLES_MAX to 65535
Default number of tables is still 128

- Remove IPFW_TABLES_MAX from ipfw(8) code.

Sponsored by Yandex LLC

Approved by:    kib(mentor)

MFC after:      2 weeks
2012-03-25 20:37:59 +00:00
Alexander V. Chernikov
25a451a451 Fix VNET build broken by r232865.
Temporary remove the ability to assign different number of tables per VNET instance.
2012-03-12 15:41:36 +00:00
Alexander V. Chernikov
f8bee51a69 - Add ipfw eXtended tables permitting radix to be used for any kind of keys.
- Add support for IPv6 and interface extended tables
- Make number of tables to be loader tunable in range 0..65534.
- Use IP_FW3 opcode for all new extended table cmds

No ABI changes are introduced. Old userland will see valid tables for
IPv4 tables and no entries otherwise. Flush works for any table.

IP_FW3 socket option is used to encapsulate all new opcodes:
 /* IP_FW3 header/opcodes */
 typedef struct _ip_fw3_opheader {
        uint16_t opcode;        /* Operation opcode */
        uint16_t reserved[3];   /* Align to 64-bit boundary */
 } ip_fw3_opheader;

New opcodes added:
 IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST

ipfw(8) table argument parsing behavior is changed:
 'ipfw table 999 add host' now assumes 'host' to be interface name instead of
 hostname.

New tunable:
 net.inet.ip.fw.tables_max controls number of table supported by ipfw in given
 VNET instance. 128 is still the default value.

New syntax:
ipfw add skipto tablearg ip from any to any via table(42) in
ipfw add skipto tablearg ip from any to any via table(4242) out

This is a bit hackish, special interface name '\1' is used to signal interface
table number is passed in p.glob field.

Sponsored by Yandex LLC

Reviewed by:    ae
Approved by:    ae (mentor)

MFC after:      4 weeks
2012-03-12 14:07:57 +00:00
Oleg Bulyzhin
f35f35c976 - Refresh dynamic tcp rule only if both sides answered keepalive packets.
- Remove some useless assignments.

MFC after:	1 month
2012-02-28 22:00:41 +00:00
Oleg Bulyzhin
8ac1bb0495 lookup_dyn_rule_locked(): style(9) cleanup
MFC after:	1 month
2012-02-28 21:53:39 +00:00
Andrey V. Elsukov
313157dead Don't use `m' after m_megapullup.
PR:		kern/165373
MFC after:	3 days
2012-02-22 04:19:33 +00:00
Bjoern A. Zeeb
9dba179d5e IFC @231845
Sponsored by:	Cisco Systems, Inc.
2012-02-17 00:27:48 +00:00
Gleb Smirnoff
23ccd3d976 Make the 'tcpwin' option of ipfw(8) accept ranges and lists.
Submitted by:	sem
2012-02-06 11:35:29 +00:00
Bjoern A. Zeeb
cebf3b1b6a Make ipfw verify_path6() multi-FIB aware.
The "fib" and "setfib" keywords implementations need no adjustments.

Sponsored by:	Cisco Systems, Inc.
2012-02-03 13:12:42 +00:00
Luigi Rizzo
7dec311e83 a variable was erroneously declared as 32 bit instead of 64.
MFC after:	3 days
2012-01-27 13:26:25 +00:00
Bjoern A. Zeeb
08adfbbf62 Make #error messages string-literals and remove punctuation.
Reported by:	bde (for ip_divert)
Reviewed by:	bde
MFC after:	3 days
2012-01-22 10:41:58 +00:00
Eitan Adler
14517324d0 - add a missing "be" and "in"
- fix other errors introduced when committing r226436
- add 'function' to a sentence where it makes sense

Submitted by:	delphij
Submitted by:	dougb
Submitted by:	jhb
Approved by:	dougb
Approved by:	jhb
2011-11-11 22:27:09 +00:00
Ed Schouten
6472ac3d8a Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.
The SYSCTL_NODE macro defines a list that stores all child-elements of
that node. If there's no SYSCTL_DECL macro anywhere else, there's no
reason why it shouldn't be static.
2011-11-07 15:43:11 +00:00
Ed Schouten
d745c852be Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.
This means that their use is restricted to a single C file.
2011-11-07 06:44:47 +00:00
Bjoern A. Zeeb
8813217a67 Always use the opt_*.h options for ipfw.ko, not just when
compiled into the kernel.
Do not try to build the module in case of no INET support but
keep #error calls for now in case we would compile it into the
kernel.

This should fix an issue where the module would fail to enable
IPv6 support from the rc framework, but also other INET and INET6
parts being silently compiled out without giving a warning in the
module case.

While here garbage collect unneeded opt_*.h includes.
opt_ipdn.h is not used anywhere but we need to leave the DUMMYNET
entry in options for conditional inclusion in kernel so keep the
file with the same name.

Reported by:	pluknet
Reviewed by:	plunket, jhb
MFC After:	3 days
2011-11-04 16:24:19 +00:00
Eitan Adler
36daf0495a - change "is is" to "is" or "it is"
- change "the the" to "the"

Approved by:	lstewart
Approved by:	sahil (mentor)
MFC after:	3 days
2011-10-16 14:30:28 +00:00
Bjoern A. Zeeb
75e54d6017 Unbreak no-ip and no-inet6 module builds with ipfw. For now continue to
build the ip_fw_pfil.c hooks and ipfw even in case of no-ip under the
assumption that the private L2 hook (which hopefully eventually will be a
pfil hook as well) can still be useful.

Allow building the module without inet as well.

Glanced at by:	jhb
MFC after:	3 days
2011-09-27 13:27:17 +00:00
John Baldwin
5bb3652f05 Allow the ipfw.ko module built with a kernel to honor any IPFIREWALL_*
options defined in the kernel config.  This more closely matches the
behavior of other modules which inherit configuration settings from the
kernel configuration during a kernel + modules build.

Reviewed by:	luigi
Approved by:	re (kib)
MFC after:	1 week
2011-09-12 21:09:56 +00:00
Bjoern A. Zeeb
8a006adb24 Add support for IPv6 to ipfw fwd:
Distinguish IPv4 and IPv6 addresses and optional port numbers in
user space to set the option for the correct protocol family.
Add support in the kernel for carrying the new IPv6 destination
address and port.
Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change
the address in the IP header.
Add support for IPv6 forwarding to a non-local destination.
Add a regession test uitilizing VIMAGE to check all 20 possible
combinations I could think of.

Obtained from:	David Dolson at Sandvine Incorporated
		(original version for ipfw fwd IPv6 support)
Sponsored by:	Sandvine Incorporated
PR:		bin/117214
MFC after:	4 weeks
Approved by:	re (kib)
2011-08-20 17:05:11 +00:00
Bjoern A. Zeeb
f76fdd221b Hide IPv6 next header parsing warnings under the verbose sysctl
so people can possibly disable it when their consoles are flooded,
or enabled it for debugging.

MFC after:	2 weeks
Approved by:	re (kib)
2011-08-20 14:20:36 +00:00
Bjoern A. Zeeb
0c4dbd5af7 After r225032 fix logging in a similar way masking the the IPv6
more fragments flag off so that offset == 0 checks work properly.

PR:		kern/145733
Submitted by:	Matthew Luckie (mjl luckie.org.nz)
MFC after:	2 weeks
X-MFC with:	r225032
Approved by:	re (kib)
2011-08-20 13:47:08 +00:00
Bjoern A. Zeeb
49239b28da If we detect an IPv6 fragment header and it is not the first fragment,
then terminate the loop as we will not find any further headers and
for short fragments this could otherwise lead to a pullup error
discarding the fragment.

PR:		kern/145733
Submitted by:	Matthew Luckie (mjl luckie.org.nz)
MFC after:	2 weeks
Approved by:	re (kib)
2011-08-20 13:46:19 +00:00
Bjoern A. Zeeb
720fee0674 ipfw internally checks for offset == 0 to determine whether the
packet is a/the first fragment or not.  For IPv6 we have added the
"more fragments" flag as well to be able to determine on whether
there will be more as we do not have the fragment header avaialble
for logging, while for IPv4 this information can be derived directly
from the IPv4 header.  This allowed fragmented packets to bypass
normal rules as proper masking was not done when checking offset.
Split variables to not need masking for IPv6 to avoid further errors.

PR:		kern/145733
Submitted by:	Matthew Luckie (mjl luckie.org.nz)
MFC after:	2 weeks
Approved by:	re (kib)
2011-08-20 13:17:47 +00:00
Bjoern A. Zeeb
391255b8a4 While not explicitly allowed by RFC 2460, in case there is no
translation technology involved (and that section is suggested to
be removed by Errata 2843), single packet fragments do not harm.

There is another errata under discussion to clarify and allow this.
Meanwhile add a sysctl to allow disabling this behaviour again.
We will treat single packet fragment (a fragment header added
when not needed) as if there was no fragment header.

PR:		kern/145733
Submitted by:	Matthew Luckie (mjl luckie.org.nz) (original version)
Tested by:	Matthew Luckie (mjl luckie.org.nz)
MFC after:	2 weeks
Approved by:	re (kib)
2011-08-20 12:40:17 +00:00
Andrey V. Elsukov
9527ec6e52 Add new rule actions "call" and "return" to ipfw. They make
possible to organize subroutines with rules.

The "call" action saves the current rule number in the internal
stack and rules processing continues from the first rule with
specified number (similar to skipto action). If later a rule with
"return" action is encountered, the processing returns to the first
rule with number of "call" rule saved in the stack plus one or higher.

Submitted by:	Vadim Goncharov
Discussed by:	ipfw@, luigi@
2011-06-29 10:06:58 +00:00
Bjoern A. Zeeb
e0bfbfce79 Update packet filter (pf) code to OpenBSD 4.5.
You need to update userland (world and ports) tools
to be in sync with the kernel.

Submitted by:	mlaier
Submitted by:	eri
2011-06-28 11:57:25 +00:00
Gleb Smirnoff
812f1d32e7 Add possibility to pass IPv6 packets to a divert(4) socket.
Submitted by:	sem
2011-06-27 12:21:11 +00:00
Andrey V. Elsukov
bb3dd40974 Do not use SET_HOST_IPLEN() macro for IPv6 packets.
PR:		kern/157239
MFC after:	2 weeks
2011-06-21 06:06:47 +00:00
Andrey V. Elsukov
1875bbfe54 Implement "global" mode for ipfw nat. It is similar to natd(8)
"globalport" option for multiple NAT instances.

If ipfw rule contains "global" keyword instead of nat_number, then
for each outgoing packet ipfw_nat looks up translation state in all
configured nat instances. If an entry is found, packet aliased
according to that entry, otherwise packet is passed unchanged.

User can specify "skip_global" option in NAT configuration to exclude
an instance from the lookup in global mode.

PR:		kern/157867
Submitted by:	Alexander V. Chernikov (previous version)
Tested by:	Eugene Grosbein
2011-06-14 13:35:24 +00:00
Andrey V. Elsukov
3265f69ce6 Add IPv6 support to the ipfw uid/gid check. Pass an ip_fw_args structure
to the check_uidgid() function, since it contains all needed arguments
and also pointer to mbuf and now it is possible use in_pcblookup_mbuf()
function.

Since i can not test it for the non-FreeBSD case, i keep this ifdef
unchanged.

Tested by:	Alexander V. Chernikov
MFC after:	3 weeks
2011-06-14 07:20:16 +00:00
Andrey V. Elsukov
bd853db48c Make a behaviour of the libalias based in-kernel NAT a bit closer to
how natd(8) does work. natd(8) drops packets only when libalias returns
PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
always did drop packets that were not aliased, even if they should
not be aliased and just are going through.

PR:		kern/122109, kern/129093, kern/157379
Submitted by:	Alexander V. Chernikov (previous version)
MFC after:	1 month
2011-06-07 06:42:29 +00:00
Robert Watson
52cd27cb58 Implement a CPU-affine TCP and UDP connection lookup data structure,
struct inpcbgroup.  pcbgroups, or "connection groups", supplement the
existing inpcbinfo connection hash table, which when pcbgroups are
enabled, might now be thought of more usefully as a per-protocol
4-tuple reservation table.

Connections are assigned to connection groups base on a hash of their
4-tuple; wildcard sockets require special handling, and are members
of all connection groups.  During a connection lookup, a
per-connection group lock is employed rather than the global pcbinfo
lock.  By aligning connection groups with input path processing,
connection groups take on an effective CPU affinity, especially when
aligned with RSS work placement (see a forthcoming commit for
details).  This eliminates cache line migration associated with
global, protocol-layer data structures in steady state TCP and UDP
processing (with the exception of protocol-layer statistics; further
commit to follow).

Elements of this approach were inspired by Willman, Rixner, and Cox's
2006 USENIX paper, "An Evaluation of Network Stack Parallelization
Strategies in Modern Operating Systems".  However, there are also
significant differences: we maintain the inpcb lock, rather than using
the connection group lock for per-connection state.

Likewise, the focus of this implementation is alignment with NIC
packet distribution strategies such as RSS, rather than pure software
strategies.  Despite that focus, software distribution is supported
through the parallel netisr implementation, and works well in
configurations where the number of hardware threads is greater than
the number of NIC input queues, such as in the RMI XLR threaded MIPS
architecture.

Another important difference is the continued maintenance of existing
hash tables as "reservation tables" -- these are useful both to
distinguish the resource allocation aspect of protocol name management
and the more common-case lookup aspect.  In configurations where
connection tables are aligned with hardware hashes, it is desirable to
use the traditional lookup tables for loopback or encapsulated traffic
rather than take the expense of hardware hashes that are hard to
implement efficiently in software (such as RSS Toeplitz).

Connection group support is enabled by compiling "options PCBGROUP"
into your kernel configuration; for the time being, this is an
experimental feature, and hence is not enabled by default.

Subject to the limited MFCability of change dependencies in inpcb,
and its change to the inpcbinfo init function signature, this change
in principle could be merged to FreeBSD 8.x.

Reviewed by:    bz
Sponsored by:   Juniper Networks, Inc.
2011-06-06 12:55:02 +00:00
Andrey V. Elsukov
1e587bfa32 Do not return EINVAL when user does ipfw set N flush on an empty set.
MFC after:	2 weeks
2011-06-06 10:39:38 +00:00
Andrey V. Elsukov
281d42c371 O_FORWARD_IP is only action which depends from the result of lookup of
dynamic rules. We are doing forwarding in the following cases:
 o For the simple ipfw fwd rule, e.g.

	fwd 10.0.0.1 ip from any to any out xmit em0
	fwd 127.0.0.1,3128 tcp from any to any 80 in recv em1

 o For the dynamic fwd rule, e.g.

 	fwd 192.168.0.1 tcp from any to 10.0.0.3 3333 setup keep-state

        When this rule triggers it creates a dynamic rule, but this
	dynamic rule should forward packets only in forward direction.

 o And the last case that does not work before - simple fwd rule which
 triggers when some dynamic rule is already executed.

PR:		kern/147720, kern/150798
MFC after:	1 month
2011-06-01 19:44:52 +00:00
Andrey V. Elsukov
88eb7833cb Hide some debug messages under debug macro.
MFC after:	1 week
2011-06-01 12:33:05 +00:00
Andrey V. Elsukov
e35a05d3e7 Hide useless warning under debug macro.
PR:		kern/69963
MFC after:	1 week
2011-06-01 12:05:35 +00:00
Robert Watson
fa046d8774 Decompose the current single inpcbinfo lock into two locks:
- The existing ipi_lock continues to protect the global inpcb list and
  inpcb counter.  This lock is now relegated to a small number of
  allocation and free operations, and occasional operations that walk
  all connections (including, awkwardly, certain UDP multicast receive
  operations -- something to revisit).

- A new ipi_hash_lock protects the two inpcbinfo hash tables for
  looking up connections and bound sockets, manipulated using new
  INP_HASH_*() macros.  This lock, combined with inpcb locks, protects
  the 4-tuple address space.

Unlike the current ipi_lock, ipi_hash_lock follows the individual inpcb
connection locks, so may be acquired while manipulating a connection on
which a lock is already held, avoiding the need to acquire the inpcbinfo
lock preemptively when a binding change might later be required.  As a
result, however, lookup operations necessarily go through a reference
acquire while holding the lookup lock, later acquiring an inpcb lock --
if required.

A new function in_pcblookup() looks up connections, and accepts flags
indicating how to return the inpcb.  Due to lock order changes, callers
no longer need acquire locks before performing a lookup: the lookup
routine will acquire the ipi_hash_lock as needed.  In the future, it will
also be able to use alternative lookup and locking strategies
transparently to callers, such as pcbgroup lookup.  New lookup flags are,
supplementing the existing INPLOOKUP_WILDCARD flag:

  INPLOOKUP_RLOCKPCB - Acquire a read lock on the returned inpcb
  INPLOOKUP_WLOCKPCB - Acquire a write lock on the returned inpcb

Callers must pass exactly one of these flags (for the time being).

Some notes:

- All protocols are updated to work within the new regime; especially,
  TCP, UDPv4, and UDPv6.  pcbinfo ipi_lock acquisitions are largely
  eliminated, and global hash lock hold times are dramatically reduced
  compared to previous locking.
- The TCP syncache still relies on the pcbinfo lock, something that we
  may want to revisit.
- Support for reverting to the FreeBSD 7.x locking strategy in TCP input
  is no longer available -- hash lookup locks are now held only very
  briefly during inpcb lookup, rather than for potentially extended
  periods.  However, the pcbinfo ipi_lock will still be acquired if a
  connection state might change such that a connection is added or
  removed.
- Raw IP sockets continue to use the pcbinfo ipi_lock for protection,
  due to maintaining their own hash tables.
- The interface in6_pcblookup_hash_locked() is maintained, which allows
  callers to acquire hash locks and perform one or more lookups atomically
  with 4-tuple allocation: this is required only for TCPv6, as there is no
  in6_pcbconnect_setup(), which there should be.
- UDPv6 locking remains significantly more conservative than UDPv4
  locking, which relates to source address selection.  This needs
  attention, as it likely significantly reduces parallelism in this code
  for multithreaded socket use (such as in BIND).
- In the UDPv4 and UDPv6 multicast cases, we need to revisit locking
  somewhat, as they relied on ipi_lock to stablise 4-tuple matches, which
  is no longer sufficient.  A second check once the inpcb lock is held
  should do the trick, keeping the general case from requiring the inpcb
  lock for every inpcb visited.
- This work reminds us that we need to revisit locking of the v4/v6 flags,
  which may be accessed lock-free both before and after this change.
- Right now, a single lock name is used for the pcbhash lock -- this is
  undesirable, and probably another argument is required to take care of
  this (or a char array name field in the pcbinfo?).

This is not an MFC candidate for 8.x due to its impact on lookup and
locking semantics.  It's possible some of these issues could be worked
around with compatibility wrappers, if necessary.

Reviewed by:    bz
Sponsored by:   Juniper Networks, Inc.
2011-05-30 09:43:55 +00:00
Andrey V. Elsukov
d832ded1a1 Wrap long line.
MFC after:	2 weeks
2011-05-30 05:53:00 +00:00
Andrey V. Elsukov
41b6083752 Add tablearg support for ipfw setfib.
PR:		kern/156410
MFC after:	2 weeks
2011-05-30 05:37:26 +00:00
Andrey V. Elsukov
318b735cc3 Convert delay parameter back to ms when reporting to user.
PR:		156838
MFC after:	1 week
2011-05-06 07:13:34 +00:00
Gleb Smirnoff
acdef0460e Use size_t for sopt_valsize.
Submitted by:	Brandon Gooch <jamesbrandongooch gmail.com>
2011-04-21 08:18:55 +00:00
Bjoern A. Zeeb
ec4f97277f MFp4 CH=191466:
Move fw_one_pass to where it belongs: it is a property of ipfw,
not of ip_input.

Reviewed by:	gnn
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	3 days
2011-04-20 07:55:33 +00:00
Gleb Smirnoff
9d0a2ddf69 - Rewrite functions that copyin/out NAT configuration, so that they
calculate required memory size dynamically.
- Fix races on chain re-lock.
- Introduce new field to ip_fw_chain - generation count. Now utilized
  only in the NAT configuration, but can be utilized wider in ipfw.
- Get rid of NAT_BUF_LEN in ip_fw.h

PR:		kern/143653
2011-04-19 15:06:33 +00:00
Andrey V. Elsukov
e3665201f5 Add sysctl handlers for net.inet.ip.dummynet.hash_size, .pipe_byte_limit
and .pipe_slot_limit oids to prevent to set incorrect values.

MFC after:	2 weeks
2011-04-19 11:33:39 +00:00
Andrey V. Elsukov
8ad66025f6 ipdn_bound_var() functions is designed to bound a variable between
specified minimum and maximum. In case when specified default value
is out of bounds it does not work as expected and does not limit
variable. Check that default value is in range and limit it if needed.
Also bump max_hash_size value to 65536 to correspond with manual page.

PR:		kern/152887
MFC after:	2 weeks
2011-04-19 11:29:09 +00:00
Andrey V. Elsukov
3ab4af737d Use M_WAITOK instead M_WAIT for malloc. Remove unneded checks.
MFC after:	1 week
2011-04-19 05:59:37 +00:00
Gleb Smirnoff
ca47294ddf LibAliasInit() should allocate memory with M_WAITOK flag. Modify it
and its callers.
2011-04-18 20:07:08 +00:00
Gleb Smirnoff
d0e16e0d1e Pullup up to TCP header length before matching against 'tcpopts'.
PR:		kern/156180
Reviewed by:	luigi
2011-04-18 18:22:10 +00:00
Andrey V. Elsukov
9974d151ec Restore previous behaviour - always match rule when we doing tagging,
even when tag is already exists.

Reported by:	Vadim Goncharov
MFC after:	1 week
2011-04-12 15:20:34 +00:00