Commit Graph

3641 Commits

Author SHA1 Message Date
Luigi Rizzo
22f123afad more splitting of ip_fw2.c, now extract the 'table' routines
and the sockopt routines (the upper half of the kernel).

Whoever is the author of the 'table' code (Ruslan/glebius/oleg ?)
please change the attribution in ip_fw_table.c. I have copied
the copyright line from ip_fw2.c but it carries my name and I have
neither written nor designed the feature so I don't deserve
the credit.

MFC after:	1 month
2009-12-15 21:24:12 +00:00
Luigi Rizzo
70228fb346 Start splitting ip_fw2.c and ip_fw.h into smaller components.
At this time we pull out from ip_fw2.c the logging functions, and
support for dynamic rules, and move kernel-only stuff into
netinet/ipfw/ip_fw_private.h

No ABI change involved in this commit, unless I made some mistake.
ip_fw.h has changed, though not in the userland-visible part.

Files touched by this commit:

conf/files
	now references the two new source files

netinet/ip_fw.h
	remove kernel-only definitions gone into netinet/ipfw/ip_fw_private.h.

netinet/ipfw/ip_fw_private.h
	new file with kernel-specific ipfw definitions

netinet/ipfw/ip_fw_log.c
	ipfw_log and related functions

netinet/ipfw/ip_fw_dynamic.c
	code related to dynamic rules

netinet/ipfw/ip_fw2.c
	removed the pieces that goes in the new files

netinet/ipfw/ip_fw_nat.c
	minor rearrangement to remove LOOKUP_NAT from the
	main headers. This require a new function pointer.

A bunch of other kernel files that included netinet/ip_fw.h now
require netinet/ipfw/ip_fw_private.h as well.
Not 100% sure i caught all of them.

MFC after:	1 month
2009-12-15 16:15:14 +00:00
Luigi Rizzo
472099c4b0 implement a new match option,
lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N

which searches the specified field in table N and sets tablearg
accordingly.
With dst-ip or src-ip the option replicates two existing options.
When used with other arguments, the option can be useful to
quickly dispatch traffic based on other fields.

Work supported by the Onelab project.

MFC after:	1 week
2009-12-15 09:46:27 +00:00
Bjoern A. Zeeb
de0bd6f76b Throughout the network stack we have a few places of
if (jailed(cred))
left.  If you are running with a vnet (virtual network stack) those will
return true and defer you to classic IP-jails handling and thus things
will be "denied" or returned with an error.

Work around this problem by introducing another "jailed()" function,
jailed_without_vnet(), that also takes vnets into account, and permits
the calls, should the jail from the given cred have its own virtual
network stack.

We cannot change the classic jailed() call to do that,  as it is used
outside the network stack as well.

Discussed with:	julian, zec, jamie, rwatson (back in Sept)
MFC after:	5 days
2009-12-13 13:57:32 +00:00
Luigi Rizzo
b2089673e5 use div64 when converting back the burst value for userland 2009-12-10 18:37:14 +00:00
Luigi Rizzo
89717f91ef when draining a flowset free the entire chain, not just one packet. 2009-12-10 18:34:07 +00:00
Luigi Rizzo
478cae8a97 centralize the code to free a packet (or a chain) while in dummynet.
Remove an old macro and its stale comment.
2009-12-10 15:17:34 +00:00
Oleg Bulyzhin
22746035ec Fix burst processing for WF2Q pipes - do not increase available burst size
unless pipe is idle. This should fix follwing issues:
- 'dummynet: OUCH! pipe should have been idle!' log messages.
- exceeding configured pipe bandwidth.

MFC after:	1 week
2009-12-05 23:27:21 +00:00
Luigi Rizzo
f573a0a634 adjust comment in previous commit after Julian's explanation 2009-12-05 11:51:32 +00:00
Luigi Rizzo
bc0d5982e2 remove a dead block of code, document how the ipfw clients are
hooked and the difference in handling the 'enable' variable
for layer2 and layer3. The latter needs fixing once i figure out
how it worked pre-vnet.

MFC after:	7 days
2009-12-05 09:13:06 +00:00
Luigi Rizzo
e99816f1eb fix build with VNET enabled
Reported by: David Wolfskill
2009-12-05 08:32:12 +00:00
Hajimu UMEMOTO
2ea64e8ef9 Use INET_ADDRSTRLEN and INET6_ADDRSTRLEN rather than hard
coded number.

Spotted by:	bz
2009-12-04 15:39:37 +00:00
Luigi Rizzo
4f60c0b97d preparation work to replace the monster switch in ipfw_chk() with
table of functions.

This commit (which is heavily based on work done by Marta Carbone
in this year's GSOC project), removes the goto's and explicit
return from the inner switch(), so we will have a easier time when
putting the blocks into individual functions.

MFC after:	3 weeks
2009-12-03 14:22:15 +00:00
Hajimu UMEMOTO
a22e82b87b Teach an IPv6 to the debug prints. 2009-12-03 11:16:53 +00:00
Luigi Rizzo
3c95089ef4 - initialize src_ip in the main loop to prevent a compiler warning
(gcc 4.x under linux, not sure how real is the complaint).
- rename a macro argument to prevent name clashes.
-  add the macro name on a couple of #endif
- add a blank line for readability.

MFC after:	3 days
2009-12-02 17:50:52 +00:00
Luigi Rizzo
3429911d4d Dispatch sockopt calls to ipfw and dummynet
using the new option numbers, IP_FW3 and IP_DUMMYNET3.
Right now the modules return an error if called with those arguments
so there is no danger of unwanted behaviour.

MFC after:	3 days
2009-12-02 15:50:43 +00:00
Luigi Rizzo
0a13f6b1b3 small changes for portability and diff reduction wrt/ FreeBSD 7.
No functional differences.

- use the div64() macro to wrap 64 bit divisions
  (which almost always are 64 / 32 bits) so they are easier
  to handle with compilers or OS that do not have native
  support for 64bit divisions;

- use a local variable for p_numbytes even if not strictly
  necessary on HEAD, as it reduces diffs with FreeBSD7

- in dummynet_send() check that a tag is present before
  dereferencing the pointer.

- add a couple of blank lines for readability near the end of a function

MFC after:	3 days
2009-12-02 15:20:31 +00:00
Hajimu UMEMOTO
fd63c04193 Teach an IPv6 to send_pkt() and ipfw_tick().
It fixes the issue which keep-alive doesn't work for an IPv6.

PR:		kern/117234
Submitted by:	mlaier, Joost Bekkers <joost__at__jodocus.org>
MFC after:	1 month
2009-12-02 14:32:01 +00:00
Gleb Smirnoff
e81ab87652 Until this moment carp(4) used a strange logging priority. It used debug
priority for such important information as MASTER/BACKUP state change,
and used a normal logging priority for such innocent messages as receiving
short packet (which is a normal VRRP packet between some other routers) or
receving a CARP packet on non-carp interface (someone else running CARP).

This commit shifts message logging priorities to a more sane default.
2009-12-02 13:24:21 +00:00
Luigi Rizzo
de9fc6bcd4 Add new sockopt names for ipfw and dummynet.
This commit is just grabbing entries for the new names
that will be used in the future, so you don't need to
rebuild anything now.

MFC after:	3 days
2009-12-02 10:36:41 +00:00
Luigi Rizzo
9565806f16 change the type of the opcode from enum *:8 to u_int8_t
so the size and alignment of the ipfw_insn is not compiler dependent.
No changes in the code generated by gcc.

There was only one instance of this kind in our entire source tree,
so i suspect the old definition was a poor choice (which i made).

MFC after:	3 days
2009-12-02 08:52:06 +00:00
Michael Tuexen
dec7fa27c6 Use the default stack size for the iterator thread.
This fixes a crash reported by Irene Ruengeler.

Approved by: rrs (mentor)
MFC after: 1 month
2009-11-27 17:25:19 +00:00
Bruce M Simpson
a8cf681de2 Correct a comment.
MFC after:	1 day
2009-11-19 13:21:37 +00:00
Michael Tuexen
7e6206af12 Fix a bug where the system panics when a SHUTDOWN is received with an
illegal TSN.

Approved by: rrs (mentor)
MFC after: ASAP
2009-11-18 12:17:06 +00:00
Michael Tuexen
0e891bcdc1 Get rid of unused fields addr_over which is never really used,
only copied around.

Approved by: rrs (mentor)
2009-11-17 23:03:38 +00:00
Michael Tuexen
83fc1165c5 Use always LIST_EMPTY instead of sometime SCTP_LIST_EMPTY,
which is defined as LIST_EMPTY.

Approved by: rrs (mentor)
MFC after: 1 month
2009-11-17 20:56:14 +00:00
Michael Tuexen
2ab6846a23 Fix a bug where queued ASCONF messags are not sent out.
Approved by: rrs (mentor)
Obtained from:	Irene Ruengeler
MFC after: 1 month
2009-11-17 13:36:21 +00:00
Michael Tuexen
b6c5780299 Fix a memory leak when destroying an SCTP stack.
Clean up sctp_pcb_finish().
Approved by: rrs (mentor)
MFC after: 1 month
2009-11-17 13:13:58 +00:00
Michael Tuexen
87b4fcd323 Do not start the iterator when there are no associations.
This fixes a bug found by Irene Ruengeler.

Approved by: rrs (mentor)
MFC after: 1 month
2009-11-17 13:11:23 +00:00
Michael Tuexen
1e01164145 Disable (temporary) the thread based interator. It does not work with vnet.
Approved by: rrs (mentor)
2009-11-17 13:09:50 +00:00
Michael Tuexen
cf458c646d Allow the UMA to free data. This resolves the UMA related bug reported
by Julian.

Approved by: rrs (mentor)
MFC after: 1 month
2009-11-17 13:08:15 +00:00
Michael Tuexen
7a9b5b2040 Do not hold the lock longer than necessary.
Approved by: rrs (mentor)
MFC after: 1 month
2009-11-17 13:05:51 +00:00
Bruce M Simpson
793c70425a Fix a functional regression in multicast.
Userland daemons need to see IGMP traffic regardless of the group;
omit the imo filter check if the proto is IGMP. The kernel part
of IGMP will have already filtered appropriately at this point.

MFC after:      ASAP
Submitted by:   Franz Struwig
Reported by:    Ivor Prebeg, Franz Struwig
2009-11-15 11:07:22 +00:00
Attilio Rao
758801232c Move inet_aton() (specular to inet_ntoa(), already present in libkern)
into libkern in order to made it usable by other modules than alias_proxy.

Obtained from:	Sandvine Incorporated
Sponsored by:	Sandvine Incorporated
MFC:		1 week
2009-11-12 00:46:28 +00:00
Edward Tomasz Napierala
4f7418a09f Remove ifdefed out part of code, which seems to have originated a decade ago
in OpenBSD.  As it is now, there is no way for this to be useful, since IPsec
is free to forward packets via whatever interface it wants, so checking
capabilities of the interface passed from ip_output (fetched from the routing
table) serves no purpose.

Discussed with:	sam@
2009-11-09 19:53:34 +00:00
Oleg Bulyzhin
57edc1bbf3 style(9): add missing parentheses 2009-11-09 09:12:45 +00:00
John Baldwin
c6d9480519 Several years ago a feature was added to TCP that casued soreceive() to
send an ACK right away if data was drained from a TCP socket that had
previously advertised a zero-sized window.  The current code requires the
receive window to be exactly zero for this to kick in.  If window scaling is
enabled and the window is smaller than the scale, then the effective window
that is advertised is zero.  However, in that case the zero-sized window
handling is not enabled because the window is not exactly zero.  The fix
changes the code to check the raw window value against zero.

Reviewed by:	bz
MFC after:	1 week
2009-11-06 16:55:05 +00:00
Oleg Bulyzhin
5661377e37 Fix two issues that can lead to exceeding configured pipe bandwidth:
- do not expire queues which are not ready to be expired.
- properly calculate available burst size.

MFC after:	3 days
2009-11-03 08:41:14 +00:00
Michael Tuexen
08abf6399a Improve round robin stream scheduler and cleanup some code.
Approved by: rrs (mentor)
MFC after: 3 days
2009-10-29 17:40:33 +00:00
Christian Brueffer
621882f0bc Close a stream file descriptor leak.
PR:		138130
Submitted by:	Patroklos Argyroudis <argp@census-labs.com>
MFC after:	1 week
2009-10-28 12:10:29 +00:00
Michael Tuexen
d18f7e0a98 Bugfix: Use formula from section 7.2.3 of RFC 4960. Reported by Martin Becke.
Approved by: rrs (mentor)
MFC after: 3 days
2009-10-27 18:17:07 +00:00
Michael Tuexen
ac9bce0f3b Improve the round robin stream scheduler.
Approved by: rrs (mentor)
MFC after: 3 days
2009-10-26 19:23:34 +00:00
Robert Watson
99b96cf934 Correct spelling typo in ip_input comment.
Pointed out by:	N.J. Mann <njm at njm.me.uk>,
		John Nielsen <john at jnielsen.net>, julian (!), lstewart
MFC after:	2 days
2009-10-24 09:18:26 +00:00
Qing Li
6cb2b4e7a8 Use the correct option name in the preprocessor command to enable
or disable diagnostic messages.

Reviewed by:	ru
MFC after:	3 days
2009-10-23 18:27:34 +00:00
Robert Watson
0d3d0d74ea Improve grammar in ip_input comment while attempting to maintain what
might be its meaning.

MFC after:	3 days
2009-10-23 13:35:00 +00:00
Qing Li
fc02323563 In the ARP callout timer expiration function, the current time_second
is compared against the entry expiration time value (that was set based
on time_second) to check if the current time is larger than the set
expiration time. Due to the +/- timer granularity value, the comparison
returns false, causing the alternative code to be executed. The
alternative code path freed the memory without removing that entry
from the table list, causing a use-after-free bug.

Reviewed by:	discussed with kmacy
MFC after:	immediately
Verified by:	rnoland, yongari
2009-10-20 17:55:42 +00:00
Robert Watson
6426657e9f Rewrap ip_input() comment so that it prints more nicely.
MFC after:	3 days
2009-10-18 11:23:56 +00:00
Qing Li
93704ac5d7 This patch fixes the following issues in the ARP operation:
1. There is a regression issue in the ARP code. The incomplete
   ARP entry was timing out too quickly (1 second timeout), as
   such, a new entry is created each time arpresolve() is called.
   Therefore the maximum attempts made is always 1. Consequently
   the error code returned to the application is always 0.
2. Set the expiration of each incomplete entry to a 20-second
   lifetime.
3. Return "incomplete" entries to the application.

Reviewed by:	kmacy
MFC after:	3 days
2009-10-15 06:12:04 +00:00
Bjoern A. Zeeb
852da713c3 Compare pointer to NULL rather than 0.
MFC after:	1 month
2009-10-13 20:29:14 +00:00
Michael Tuexen
f71e78a1d9 Fix a race condition where a mutex was destroyed while sleeping on it.
Found while analyzing a report from julian. It might fix his bug.
Approved by: rrs (mentor)
MFC after: 3 days
2009-10-11 12:23:56 +00:00