specific privilege names to a broad range of privileges. These may
require some future tweaking.
Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
Discussed on: arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
Alex Lyashkov <umka at sevcity dot net>,
Skip Ford <skip dot ford at verizon dot net>,
Antoine Brodin <antoine dot brodin at laposte dot net>
mbuf clusters. Add a flags parameter to accept M_PKTHDR and M_EOR mbuf
chain flags. Provide compatibility macro for m_getm() calling m_getm2()
with M_PKTHDR set.
Rewrite m_uiotombuf() to use m_getm2() for mbuf allocation and do the
uiomove() in a tight loop over the mbuf chain. Add a flags parameter to
accept mbuf flags to be passed to m_getm2(). Adjust all callers for the
extra parameter.
Sponsored by: TCP/IP Optimization Fundraise 2005
MFC after: 3 month
- Inline ship_msg() into ngs_rcvmsg().
- Plug memory leak in case if no control socket present.
- Remove malloc() and allocate the sockaddr on stack.
- style(9).
- Use malloc() and free() instead of MALLOC() and FREE() macros.
- Do not check malloc results if M_WAITOK was used.
- Remove linked list of all netgraph sockets. It isn't needed.
- Use ng_findhook() instead of searching the list ourselves.
- Use NG_WAITOK in syscalls.
- Remove unneeded includes.
- style(9)
m_pkthdr.ether_vlan. The presence of the M_VLANTAG flag on the mbuf
signifies the presence and validity of its content.
Drivers that support hardware VLAN tag stripping fill in the received
VLAN tag (containing both vlan and priority information) into the
ether_vtag mbuf packet header field:
m->m_pkthdr.ether_vtag = vlan_id; /* ntohs()? */
m->m_flags |= M_VLANTAG;
to mark the packet m with the specified VLAN tag.
On output the driver should check the mbuf for the M_VLANTAG flag to
see if a VLAN tag is present and valid:
if (m->m_flags & M_VLANTAG) {
... = m->m_pkthdr.ether_vtag; /* htons()? */
... pass tag to hardware ...
}
VLAN tags are stored in host byte order. Byte swapping may be necessary.
(Note: This driver conversion was mechanic and did not add or remove any
byte swapping in the drivers.)
Remove zone_mtag_vlan UMA zone and MTAG_VLAN definition. No more tag
memory allocation have to be done.
Reviewed by: thompsa, yar
Sponsored by: TCP/IP Optimization Fundraise 2005
of individual interfaces should match the ipackets/ibytes counter of
the aggregate (FEC) interface.
PR: kern/82189
Submitted by: Stikheev Andrew <sand AT zunet DOT ru>
MFC after: 3 days
trunk ports first. If that succeeds, and we're inside our own bounds,
so be it.
Still not ideal -- adding a port after changing an MTU doesn't change
port's MTU, but a step in the right direction.
PR: kern/95417
Submitted by: Vladimir Ivanov <wawa AT yandex-team DOT ru>
MFC after: 3 days
I've slightly edited a patch to make the conditional logic positive
and remove (what I think was) a redundant ng_fec_init() call.
are supposed to be set directly in ifnet already. This change fixes a
panic when ng_eiface node is attached to ng_fec node and the latter is
shut down (ng_fec sets flags and then calls SIOCSIFFLAGS with a NULL
argument).
MFC after: 3 days
- Fix a couple of LORs and panics;
- Temporarily remove the code that tries to cleanup sockets that stuck
on accepting queues (both complete and incomplete). I'm taking an ostrich
approach here until I find a better way to deal with sockets that were
disconnected before accepting (i.e. while socket was on complete or
incomplete accept queue).
- Store the Ethernet header in node softc.
- Initialize header with dst addr and ethertype in node
constructor method.
- In node connect method send NGM_ETHER_GET_ENADDR message
downwards.
- If received reply from ng_ether(4) store the src addr
in softc.
- Add NGM_PPPOE_SETENDADDR message that allows user to
override the address with whatever he/she wants.
- Print node ID, where possible.
- Prepend log messages with function name, or at least with "ng_pppoe".
Reviewed by: julian
Tested by: Joao Barros <joao.barros gmail.com>
on output frames.
Many people were confused with not working CARP, ng_bridge(4)
and other subsystems, because ng_ether(4) overwritten source
MAC address.
soreceive(), and sopoll(), which are wrappers for pru_sosend,
pru_soreceive, and pru_sopoll, and are now used univerally by socket
consumers rather than either directly invoking the old so*() functions
or directly invoking the protocol switch method (about an even split
prior to this commit).
This completes an architectural change that was begun in 1996 to permit
protocols to provide substitute implementations, as now used by UDP.
Consumers now uniformly invoke sosend(), soreceive(), and sopoll() to
perform these operations on sockets -- in particular, distributed file
systems and socket system calls.
Architectural head nod: sam, gnn, wollman
function, pru_close, to notify protocols that the file descriptor or
other consumer of a socket is closing the socket. pru_abort is now a
notification of close also, and no longer detaches. pru_detach is no
longer used to notify of close, and will be called during socket
tear-down by sofree() when all references to a socket evaporate after
an earlier call to abort or close the socket. This means detach is now
an unconditional teardown of a socket, whereas previously sockets could
persist after detach of the protocol retained a reference.
This faciliates sharing mutexes between layers of the network stack as
the mutex is required during the checking and removal of references at
the head of sofree(). With this change, pru_detach can now assume that
the mutex will no longer be required by the socket layer after
completion, whereas before this was not necessarily true.
Reviewed by: gnn
we intend for the user to be able to unload them later via kldunload(2)
instead of calling linker_load_module() and then directly adjusting the
ref count on the linker file structure. This makes the resulting
consumer code simpler and cleaner and better hides the linker internals
making it possible to sanely lock the linker.
use this ioctl to obtain the list of HCI nodes. User-space application
is expected to preallocate 'ng_btsocket_hci_raw_node_list_names' structure
and set limit in 'num_nodes' field. The 'nodes' field should be allocated
as well and it should have space for at least 'num_nodes' elements.
The SIOC_HCI_RAW_NODE_LIST_NAMES should be issued on bound raw HCI socket.
It does not really really matter what HCI name the socket is bound to, as
long as it is not empty.
MFC after: 1 week
sampling_interval) fields in netflow v5 header. We do not use
them but some netflow tools show garbage.
PR: kern/96296
Submitted by: David Duchscher
Approved by: glebius
MFC after: 1 week
rather than an error. Detaches do not "fail", they other occur or
the protocol flags SS_PROTOREF to take ownership of the socket.
soclose() no longer looks at so_pcb to see if it's NULL, relying
entirely on the protocol to decide whether it's time to free the
socket or not using SS_PROTOREF. so_pcb is now entirely owned and
managed by the protocol code. Likewise, no longer test so_pcb in
other socket functions, such as soreceive(), which have no business
digging into protocol internals.
Protocol detach routines no longer try to free the socket on detach,
this is performed in the socket code if the protocol permits it.
In rts_detach(), no longer test for rp != NULL in detach, and
likewise in other protocols that don't permit a NULL so_pcb, reduce
the incidence of testing for it during detach.
netinet and netinet6 are not fully updated to this change, which
will be in an upcoming commit. In their current state they may leak
memory or panic.
MFC after: 3 months
than an int, as an error here is not meaningful. Modify soabort() to
unconditionally free the socket on the return of pru_abort(), and
modify most protocols to no longer conditionally free the socket,
since the caller will do this.
This commit likely leaves parts of netinet and netinet6 in a situation
where they may panic or leak memory, as they have not are not fully
updated by this commit. This will be corrected shortly in followup
commits to these components.
MFC after: 3 months
if ksocket is connected to an interface-type node somewhere later
in the graph (e.g., ng_eiface or ng_iface), the csum_data may be
applied to a wrong packet (if we encapsulate Ethernet or IP).
MFC after: 3 days
- Run send queue down to completion, not just one packet.
It has been observed to cause a stall queue otherwise.
- Prevent queueing multiple function calls to a node.
MFC after: 3 days
by NGM_PPPOE_SETMODE message. When D-Link compat mode is on, we will
broadcast PADI with empty Service-Name to all listening hooks.
o Rewrite the compatibility options. Before we had two modes - standard
and non-standard (aka 3Com). Now we have standard mode and two compat
flags, that can be combined.
o Be consistent and do s/STUPID/3COM/g. I don't say that 3Com mode isn't
stupid, just want to make code easier to read.
PPPoE AC, servicing a specific Service-Name, when client sends a PADI
with an empty Service-Name. Should it reply with all available service
names or should it be silent? Our implementation had chosen the latter,
while some other had chosen the former (they say Linux and Cisco). Now
some PPPoE clients appear, that rely on the assumption that AC will
send all names in a PADO reply to a PADI with wildcard Service-Name.
These clients can't connect to FreeBSD AC.
I have requested comments from authors of RFC2516 via email, but
received no reply.
This change makes FreeBSD AC compatible with D-Link DI-614+ and
D-Link DI-624+ SOHO routers, and probably others.
Big thanks to D-Link's Russian office, namely Victor Platov, for
assistance and support in investigation and testing of this change.
Details:
o Split pppoe_match_svc() into three different functions serving
different purposes:
- pppoe_match_svc() - match non-empty Service-Name tag from PADI
against all available hooks in listening state.
- pppoe_find_svc() - check that given Service-Name is not yet
registered.
- pppoe_broadcast_padi() - send a copy of PADI packet with empty
Service-Name tag to all listening hooks.
o For NGM_PPPOE_LISTEN message use pppoe_find_svc().
o In ng_pppoe_rcvdata() in a PADI case use pppoe_match_svc() for
a non-empty Service-Name tag, and pppoe_broadcast_padi() in
either case.
A side effect from the above changes is that now pppoed(8) and mpd
will reply to a empty Service-Name PADI sending a PADO with two
Service-Name tags - an empty one and correct one. This is not fatal,
and will be corrected in pppoed(8) and mpd later. No need to update
node interface version.
Supported by: D-Link
in flags. When sending export datagram from expiry thread, then
use default zero flags. This removes unpleasant contention of the
interrupt thread on mutexes (usually ng_ksocket's socket buffer
mutex).
had been replied, the reply was always delivered to the originator
synchronously.
With introduction of netgraph item callbacks and a wait channel with
mutex in ng_socket(4), we have fixed the problem with ngctl(8) returning
earlier than the command has been proceeded by target node. But still
ngctl(8) can return prior to the reply has arrived to its node.
To fix this:
- Introduce a new flag for netgraph(4) messages - NGM_HASREPLY.
This flag is or'ed with message like NGM_READONLY.
- In netgraph userland library if we have sent a message with
NGM_HASREPLY flag, then select(2) until reply comes.
- Mark appropriate generic commands with NGM_HASREPLY flag,
gathering them into one enum {}. Bump generic cookie.
rather than in ifindex_table[]; all (except one) accesses are
through ifp anyway. IF_LLADDR() works faster, and all (except
one) ifaddr_byindex() users were converted to use ifp->if_addr.
- Stop storing a (pointer to) Ethernet address in "struct arpcom",
and drop the IFP2ENADDR() macro; all users have been converted
to use IF_LLADDR() instead.
a synchronous reprogramming of hardware MAC filters if the physical
interface are up and running. Previously, MAC filters would be
reconfigured only when the fec interface was brought up.
- Disallow bundle reconfiguration when virtual
interface is running; otherwise, removing a
port from a running configuration will cause
a panic in the start() method on the next packet
on an assumption that a bundle has an even
number of ports (2 or 4).
- Disallow bringing of virtual interface to a
running state when a bundle size is 0; otherwise,
adding and then removing the port will similarly
cause a panic.
- Add missing initialization of fec_ifstat when
adding a new port and fix media status reporting
when virtual interface isn't yet up (check for
fec_status of 1 rather than != 0).
previously, ifp->if_type was set to IFT_ETHER by
ether_ifattach(), now it's done by if_alloc() so
an assignment of if_type to IFT_PROPVIRTUAL after
if_alloc() but before ether_ifattach() broke it.
This makes arp(8) and friends happy about the fec
interfaces, and will allow us to use if_setlladdr()
on the fec interface.
- Set/reset IFF_DRV_RUNNING/IFF_DRV_OACTIVE in init()
and stop() methods rather than in ioctl(), like the
rest of the drivers do. This fixes a bug when an
"ifconfig fec0 ipv4_address" would not have made
the interface running, didn't launch the ticker
function to track media status of bundled ports,
etc.
destruction:
- Backout 1.62, since it doesn't fix all possible
problems.
- Upon node creation, put an additional reference on node.
- Add a mutex and refcounter to struct ngsock. Netgraph node,
control socket and data socket all count as references.
- Introduce ng_socket_free_priv() which removes one reference
from ngsock, and frees it when all references has gone.
- No direct pointers between pcbs and node, all pointing
is done via struct ngsock and protected with mutex.
- Introduce ng_topo_mtx, a mutex to protect topology changes.
- In ng_destroy_node() protect with ng_topo_mtx the process
of checking and pointing at ng_deadnode. [1]
- In ng_con_part2() check that our peer is not a ng_deadnode,
and protect the check with ng_topo_mtx.
- Add KASSERTs to ng_acquire_read/write, to make more
understandible synopsis in case if called on ng_deadnode.
Reported by: Roselyn Lee [1]
- Introduce a new flags NGQF_QREADER and NGQF_QWRITER,
which tell how the item should be actually applied,
overriding NGQF_READER/NGQF_WRITER flags.
- Do not differ between pending reader or writer. Use only
one flag that is raised, when there are pending items.
- Schedule netgraph ISR in ng_queue_rw(), so that callers
do not need to do this job.
- Fix several comments.
Submitted by: julian
- Prefer '_' to ' ', as it results in more easily parsed results in
memory monitoring tools such as vmstat.
- Remove punctuation that is incompatible with using memory type names
as file names, such as '/' characters.
- Disambiguate some collisions by adding subsystem prefixes to some
memory types.
- Generally prefer lower case to upper case.
- If the same type is defined in multiple architecture directories,
attempt to use the same name in additional cases.
Not all instances were caught in this change, so more work is required to
finish this conversion. Similar changes are required for UMA zone names.
following the protocol pru_listen() call to solisten_proto(), so
that it occurs under the socket lock acquisition that also sets
SO_ACCEPTCONN. This requires passing the new backlog parameter
to the protocol, which also allows the protocol to be aware of
changes in queue limit should it wish to do something about the
new queue limit. This continues a move towards the socket layer
acting as a library for the protocol.
Bump __FreeBSD_version due to a change in the in-kernel protocol
interface. This change has been tested with IPv4 and UNIX domain
sockets, but not other protocols.
