Commit Graph

461 Commits

Author SHA1 Message Date
Sam Leffler
7138d65c3f replace explicit changes to rt_refcnt by RT_ADDREF and RT_REMREF
macros that expand to include assertions when the system is built
with INVARIANTS

Supported by:	FreeBSD Foundation
2003-11-08 23:36:32 +00:00
Sam Leffler
7902224c6b o add a flags parameter to netisr_register that is used to specify
whether or not the isr needs to hold Giant when running; Giant-less
  operation is also controlled by the setting of debug_mpsafenet
o mark all netisr's except NETISR_IP as needing Giant
o add a GIANT_REQUIRED assertion to the top of netisr's that need Giant
o pickup Giant (when debug_mpsafenet is 1) inside ip_input before
  calling up with a packet
o change netisr handling so swi_net runs w/o Giant; instead we grab
  Giant before invoking handlers based on whether the handler needs Giant
o change netisr handling so that netisr's that are marked MPSAFE may
  have multiple instances active at a time
o add netisr statistics for packets dropped because the isr is inactive

Supported by:	FreeBSD Foundation
2003-11-08 22:28:40 +00:00
Hajimu UMEMOTO
ba3484d943 nuke obsoleted ipsec_gethist(). it just did panic to notify user
that it was obsoleted.  it is better to fail than just hiding use
of ipsec_gethist() at build.

Sugessted by:	"Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
2003-11-07 20:38:45 +00:00
Hajimu UMEMOTO
07027f9d23 correct behavior when ipv6mr_interface is 0. Matthias Drochner
Notified by:	itojun
Obtained from:	NetBSD
2003-11-06 16:42:59 +00:00
Hajimu UMEMOTO
4e2a2c6a2d byebye in6_ifawithscope(). it was a function for old source
address selection.

Obtained from:	KAME
2003-11-05 17:19:31 +00:00
Hajimu UMEMOTO
e6a2735045 make sure to treat destrination address as KAME internal form
of embedscope.
2003-11-05 16:09:21 +00:00
Hajimu UMEMOTO
d6385b1c0b source address selection part of RFC3484.
TODO: since there is scope issue to be solved, multicast and
link-local address are treated as special for workaround for
now.

Obtained from:	KAME
2003-11-04 20:22:33 +00:00
Hajimu UMEMOTO
0f9ade718d - cleanup SP refcnt issue.
- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all.  secpolicy no longer contain
  spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy.  assign ID field to
  all SPD entries.  make it possible for racoon to grab SPD entry on
  pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header.  a mode is always needed
  to compare them.
- fixed that the incorrect time was set to
  sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
  because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
  alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
  XXX in theory refcnt should do the right thing, however, we have
  "spdflush" which would touch all SPs.  another solution would be to
  de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion.  ipsec_*_policy ->
  ipsec_*_pcbpolicy.
- avoid variable name confusion.
  (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
  secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
  can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
  "src" of the spidx specifies ICMP type, and the port field in "dst"
  of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
  kernel forwards the packets.

Tested by:	nork
Obtained from:	KAME
2003-11-04 16:02:05 +00:00
Hajimu UMEMOTO
4835e2c745 use nd6log().
Obtained from:	KAME
2003-11-04 14:09:37 +00:00
Hajimu UMEMOTO
4a201dfc18 - update comments to refrect recent BSDs.
- nuke unused macro PSUEDO_SET().
- I believe our if_xname stuff is nothing strange against other BSDs.

Obtained from:	KAME
2003-11-04 14:08:31 +00:00
Hajimu UMEMOTO
af12e09e86 rename variables.
Obtained from:	KAME
2003-11-02 19:09:29 +00:00
Brooks Davis
9bf40ede4a Replace the if_name and if_unit members of struct ifnet with new members
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.

This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.

Approved By:	re (in principle)
Reviewed By:	njl, imp
Tested On:	i386, amd64, sparc64
Obtained From:	NetBSD (if_xname)
2003-10-31 18:32:15 +00:00
Hajimu UMEMOTO
0a91356606 correct stat to increment.
Obtained from:	KAME
2003-10-31 17:51:54 +00:00
Hajimu UMEMOTO
29bc2c4833 do not insert a dest option header (even specified by a user) that
should be placed before a routing header, unless a routing header
really exists.

Obtained from:	KAME
2003-10-31 16:32:12 +00:00
Hajimu UMEMOTO
657db3c899 (icmp6_rip6_input) if the received data is small enough but in an
mbuf cluster, copy the data to a separate mbuf that do not use a
cluster.  this change will reduce the possiblity of packet loss
in the socket layer.

Obtained from:	KAME
2003-10-31 16:21:26 +00:00
Hajimu UMEMOTO
6bb73aea22 rename MLD6_* to MLD_*.
Obtained from:	KAME
2003-10-31 16:07:15 +00:00
Hajimu UMEMOTO
a02e1e2b41 use arc4random.
Obtained from:	KAME
2003-10-31 16:06:05 +00:00
Hajimu UMEMOTO
8d996f28d8 initialize in6_tmpaddrtimer_ch.
Obtained from:	KAME
2003-10-31 15:57:02 +00:00
Hajimu UMEMOTO
68795b9947 nuku unused functions in6_nigroup_attach() and
in6_nigroup_detach().

Obtained from:	KAME
2003-10-31 15:51:28 +00:00
Sam Leffler
9c63e9dbd7 Overhaul routing table entry cleanup by introducing a new rtexpunge
routine that takes a locked routing table reference and removes all
references to the entry in the various data structures. This
eliminates instances of recursive locking and also closes races
where the lock on the entry had to be dropped prior to calling
rtrequest(RTM_DELETE).  This also cleans up confusion where the
caller held a reference to an entry that might have been reclaimed
(and in some cases used that reference).

Supported by:	FreeBSD Foundation
2003-10-30 23:02:51 +00:00
Sam Leffler
457fc53d28 use a local variable to avoid holding a lock across a call out of view
Supported by:	FreeBSD Foundation
2003-10-30 22:56:13 +00:00
Hajimu UMEMOTO
349b668aab - unlock on error.
- don't call malloc with M_WAITOK within lock context.
2003-10-30 18:42:25 +00:00
Hajimu UMEMOTO
7fc91b3f1d add management part of address selection policy described in
RFC3484.

Obtained from:	KAME
2003-10-30 15:29:17 +00:00
Sam Leffler
2657cae39a correct LOR by using a local variable to hold result
instead of holding a lock while calling out of view

Supported by:	FreeBSD Foundation
2003-10-29 22:59:12 +00:00
Hajimu UMEMOTO
59dfcba4aa add ECN support in layer-3.
- implement the tunnel egress rule in ip_ecn_egress() in ip_ecn.c.
   make ip{,6}_ecn_egress() return integer to tell the caller that
   this packet should be dropped.
 - handle ECN at fragment reassembly in ip_input.c and frag6.c.

Obtained from:	KAME
2003-10-29 15:07:04 +00:00
Hajimu UMEMOTO
11de19f44d ip6_savecontrol() argument is redundant 2003-10-29 12:52:28 +00:00
Hajimu UMEMOTO
1410779a4f hide m_tag, again.
Requested by:	sam
2003-10-29 12:49:12 +00:00
Hajimu UMEMOTO
b266757652 make sure to accept only IPv6 packet.
Obtained from:	KAME
2003-10-28 16:45:29 +00:00
Hajimu UMEMOTO
2a5aafce0e cleanup use of m_tag.
Obtained from:	KAME
2003-10-28 16:29:26 +00:00
Hajimu UMEMOTO
8c0dd0e438 M_DONTWAIT was passed into malloc().
Submitted by:	Ian Dowse <iedowse@maths.tcd.ie>
2003-10-27 07:15:22 +00:00
Hajimu UMEMOTO
02b9a2066e re-add wrongly disappered IPV6_CHECKSUM stuff by introducing
ip6_raw_ctloutput().

Obtained from:	KAME
2003-10-26 18:17:01 +00:00
Hajimu UMEMOTO
862e960f61 drop unused defines. 2003-10-26 15:15:36 +00:00
Hajimu UMEMOTO
fe01034af8 drop unused fields. 2003-10-26 15:06:06 +00:00
Hajimu UMEMOTO
0021a48500 use uint32_t instead of u_int32_t for newly introduced
struct definition.
2003-10-26 10:49:18 +00:00
Hajimu UMEMOTO
618d51bbdc revert following unwanted changes:
- __packed to __attribute__((__packed__)
  -  uintN_t back to u_intN_t

Reported by:	bde
2003-10-25 10:57:08 +00:00
Hajimu UMEMOTO
16cd67e933 correct namespace pollution.
Submitted by:	bde
2003-10-25 09:37:10 +00:00
Hajimu UMEMOTO
c302f5bc07 remove the ip6r0_addr and ip6r0_slmap members from ip6_rthdr0{}
according to rfc2292bis.

Obtained from:	KAME
2003-10-24 20:37:05 +00:00
Hajimu UMEMOTO
f95d46333d Switch Advanced Sockets API for IPv6 from RFC2292 to RFC3542
(aka RFC2292bis).  Though I believe this commit doesn't break
backward compatibility againt existing binaries, it breaks
backward compatibility of API.
Now, the applications which use Advanced Sockets API such as
telnet, ping6, mld6query and traceroute6 use RFC3542 API.

Obtained from:	KAME
2003-10-24 18:26:30 +00:00
Sam Leffler
37bdc2803f check return result from rtalloc1 before invoking RTUNLOCK 2003-10-23 21:41:00 +00:00
Hajimu UMEMOTO
86b51224d4 we have ppsratecheck(). 2003-10-22 19:23:51 +00:00
Hajimu UMEMOTO
9bcf770ca8 IP6Q_LOCK_CHECK -> IP6Q_LOCK_ASSERT.
Sugested by:	sam
2003-10-22 19:03:49 +00:00
Hajimu UMEMOTO
66bb118edd drop the code of HAVE_NRL_INPCB part. our system doesn't
use NRL style INPCB.
2003-10-22 18:52:57 +00:00
Hajimu UMEMOTO
31e8f7e530 pretect ip6 reassemble queue by use of mutex.
Submitted by:	rwatson (with modification)
2003-10-22 15:32:56 +00:00
Hajimu UMEMOTO
9888c40195 - implement lock around IPv6 reassembly, to avoid panic due to
frag6_drain (mutex version will come later).
- limit number of fragments (not fragment queues) in kernel.

Obtained from:	KAME
2003-10-22 15:29:42 +00:00
Hajimu UMEMOTO
1ab976cb03 protect sid_default and sid.
Submitted by:	rwatson (with modification)
2003-10-22 15:13:36 +00:00
Hajimu UMEMOTO
65b01ff848 reduce calling in6_addr2zoneid(). 2003-10-22 15:12:06 +00:00
SUZUKI Shinsuke
b18521ee3b more strict sanity check for ESP tail
Obtained from: KAME
2003-10-22 10:44:59 +00:00
Hajimu UMEMOTO
9a4f9608ad - change scope to zone.
- change node-local to interface-local.
- better error handling of address-to-scope mapping.
- use in6_clearscope().

Obtained from:	KAME
2003-10-21 20:05:32 +00:00
Hajimu UMEMOTO
31b3783c8d correct linkmtu handling.
Obtained from:	KAME
2003-10-20 15:27:48 +00:00
Hajimu UMEMOTO
9132d5071c - revert to old rijndael code. new rijndael code broke gbde.
- since aes-xcbc-mac and aes-ctr require functions in new
  rijndael code, aes-xcbc-mac and aes-ctr are disabled for now.
2003-10-19 21:28:34 +00:00
Hajimu UMEMOTO
2d0e1cf17a rtfree() must be called in lock context.
Reported by:	jhay
2003-10-18 17:46:23 +00:00
Hajimu UMEMOTO
ae360dddc7 nuke duplicate function and unused function.
Obtained from:	KAME
2003-10-17 17:50:09 +00:00
Hajimu UMEMOTO
e0cac38a6d revert wrongly dropped null check by previous commit. 2003-10-17 17:34:31 +00:00
Hajimu UMEMOTO
31b1bfe1b0 - add dom_if{attach,detach} framework.
- transition to use ifp->if_afdata.

Obtained from:	KAME
2003-10-17 15:46:31 +00:00
Sam Leffler
e312432731 fix horribly botched MFp4 merge 2003-10-16 19:55:28 +00:00
Sam Leffler
3c92002f24 pfil hooks can modify packet contents so check if the destination
address has been changed when PFIL_HOOKS is enabled and, if it has,
arrange for the proper action by ip*_forward.

Submitted by:	Pyun YongHyeon
Supported by:	FreeBSD Foundation
2003-10-16 18:57:45 +00:00
Sam Leffler
ba00f0096d MFp4: correct locking issues in nd6_lookup
Supported by:	FreeBSD Foundation
2003-10-14 18:49:08 +00:00
Hajimu UMEMOTO
66c7fe4056 use BF_ecb_encrypt().
Obtained from:	KAME
2003-10-13 19:26:08 +00:00
Hajimu UMEMOTO
b42ac57f4f - support AES counter mode for ESP.
- use size_t as return type of schedlen(), as there's no error
  check needed.
- clear key schedule buffer before freeing.

Obtained from:	KAME
2003-10-13 14:57:41 +00:00
Hajimu UMEMOTO
79203b9869 support AES XCBC MAC for AH.
Obtained from:	KAME
2003-10-13 04:56:04 +00:00
Hajimu UMEMOTO
c65ee7c758 - support AES XCBC MAC for AH
- correct SADB_X_AALG_RIPEMD160HMAC to 8

Obtained from:	KAME
2003-10-13 04:54:51 +00:00
Hajimu UMEMOTO
d5d49fe472 include opencrypto/rmd160.h 2003-10-12 18:33:30 +00:00
Hajimu UMEMOTO
faf228234c remove unused variable.
Obtained from:	KAME
2003-10-12 15:14:33 +00:00
Hajimu UMEMOTO
7128815095 - avoid hardcoded values.
- correct signedness mixups.
- log fix.
- preparation for 64bit sequence number.
  introduce SA id (unique ID for SA - SPI is useless as duplicated
  SPI is allowed)
- no need to malloc/free cksum buffer.

Obtained from:	KAME
2003-10-12 12:03:25 +00:00
Hajimu UMEMOTO
83ca448c94 - always check for optlen overrun.
- panic if NULL is passed to ah_sumsiz (as we never do it,
  and callers do not properly check negative returns).

Obtained from:	KAME
2003-10-12 11:18:04 +00:00
Hajimu UMEMOTO
00c62ed413 - correct signedness mixups.
- avoid assuming result buffer size

Obtained from:	KAME
2003-10-12 11:08:18 +00:00
Hajimu UMEMOTO
0c72771dea avoid hardcoding MD5 result length (16)
Obtained from:	KAME
2003-10-12 09:51:32 +00:00
Hajimu UMEMOTO
492528c051 - RIPEMD160 support
- pass size arg to ah->result (avoid assuming result buffer size)

Obtained from:	KAME
2003-10-12 09:41:42 +00:00
Hajimu UMEMOTO
020a816f9e fixed an endian bug on fragment header scanning
Obtained from:	KAME
2003-10-10 19:49:52 +00:00
Hajimu UMEMOTO
953ad2fb67 nuke SCOPEDROUTING. Though it was there for a long time,
it was never enabled.
2003-10-10 16:04:00 +00:00
Hajimu UMEMOTO
7aab01fa76 switch cast128 implementation to implementation by Steve Reid;
smaller footprint.

Obtained from:	KAME
2003-10-10 15:06:16 +00:00
Hajimu UMEMOTO
0606da6241 - typo. found by markus@openbsd
- correct signedness mixup in pointer passing.
- drop meaningless variable.

Obtained from:	KAME
2003-10-09 18:44:54 +00:00
Hajimu UMEMOTO
07eb299520 - typo in comment
- style
- ANSIfy
(there is no functional change.)

Obtained from:	KAME
2003-10-09 16:13:47 +00:00
Hajimu UMEMOTO
7efe5d92ab - fix typo in comments.
- style.
- NULL is not 0.
- some variables were renamed.
- nuke unused logic.
(there is no functional change.)

Obtained from:	KAME
2003-10-08 18:26:08 +00:00
Sam Leffler
68974f2940 must lock route when the caller provided a route but not
an interface; otherwise the subsequent unlock blows up

Suffered by:	Marcel Moolenaar <marcel@xcllnt.net>
Supported by:	FreeBSD Foundation
2003-10-07 20:57:35 +00:00
Hajimu UMEMOTO
aa15ec9156 indent 2003-10-07 20:22:01 +00:00
Hajimu UMEMOTO
0527d33302 style and indent. no functional change.
Obtained from:	KAME
2003-10-07 19:51:22 +00:00
Hajimu UMEMOTO
06cd0a3f97 - fix typo in comment.
- style.

Obtained from:	KAME
2003-10-07 17:46:18 +00:00
Hajimu UMEMOTO
00165f8e92 nuke unused CTL_IPV6PROTO_NAMES macro. 2003-10-07 17:42:31 +00:00
Hajimu UMEMOTO
40e39bbb67 return(code) -> return (code)
(reduce diffs against KAME)
2003-10-06 14:02:09 +00:00
Sam Leffler
d1dd20be6e Locking for updates to routing table entries. Each rtentry gets a mutex
that covers updates to the contents.  Note this is separate from holding
a reference and/or locking the routing table itself.

Other/related changes:

o rtredirect loses the final parameter by which an rtentry reference
  may be returned; this was never used and added unwarranted complexity
  for locking.
o minor style cleanups to routing code (e.g. ansi-fy function decls)
o remove the logic to bump the refcnt on the parent of cloned routes,
  we assume the parent will remain as long as the clone; doing this avoids
  a circularity in locking during delete
o convert some timeouts to MPSAFE callouts

Notes:

1. rt_mtx in struct rtentry is guarded by #ifdef _KERNEL as user-level
   applications cannot/do-no know about mutex's.  Doing this requires
   that the mutex be the last element in the structure.  A better solution
   is to introduce an externalized version of struct rtentry but this is
   a major task because of the intertwining of rtentry and other data
   structures that are visible to user applications.
2. There are known LOR's that are expected to go away with forthcoming
   work to eliminate many held references.  If not these will be resolved
   prior to release.
3. ATM changes are untested.

Sponsored by:	FreeBSD Foundation
Obtained from:	BSD/OS (partly)
2003-10-04 03:44:50 +00:00
Hajimu UMEMOTO
5d40536819 add randomtab for ip6_randomflowlabel().
Obtained from:	KAME
2003-10-01 21:45:57 +00:00
Hajimu UMEMOTO
b79274ba41 randomize IPv6 flowlabel when RANDOM_IP_ID is defined.
Obtained from:	KAME
2003-10-01 21:24:28 +00:00
Hajimu UMEMOTO
18193b6f63 use arc4random() 2003-10-01 21:10:02 +00:00
Hajimu UMEMOTO
de27a78aca - include opt_random_ip_id.h
- we don't need to obtain microtime when using ip6_randomid.
2003-10-01 20:24:20 +00:00
Hajimu UMEMOTO
8513854d16 we don't need ip6_id when RANDOM_IP_ID is defined. 2003-10-01 18:23:27 +00:00
Hajimu UMEMOTO
01e22dc51b include opt_random_ip_id.h 2003-10-01 17:28:42 +00:00
Hajimu UMEMOTO
672467eb28 Don't compiled ip6_randomid() in if RANDOM_IP_ID is not defined. 2003-10-01 16:22:58 +00:00
Hajimu UMEMOTO
2923494300 Obey RANDOM_IP_ID.
Requested by:	sam
2003-10-01 16:00:12 +00:00
Hajimu UMEMOTO
8373d51d4b randomize IPv6 fragment ID.
Obtained from:	KAME
2003-10-01 15:13:29 +00:00
Sam Leffler
b140bc1fc8 Correct pfil_run_hooks return handling: if the return value is non-zero
then the mbuf has been consumed by a hook; otherwise beware of a null
mbuf return (gack).  In particular the bridge was doing the wrong thing.
While in the ipv6 code make it's handling of pfil_run_hooks identical
to netbsd.

Pointed out by:	Pyun YongHyeon <yongari@kt-is.co.kr>
2003-09-30 04:46:08 +00:00
Sam Leffler
134ea22494 o update PFIL_HOOKS support to current API used by netbsd
o revamp IPv4+IPv6+bridge usage to match API changes
o remove pfil_head instances from protosw entries (no longer used)
o add locking
o bump FreeBSD version for 3rd party modules

Heavy lifting by:	"Max Laier" <max@love2party.net>
Supported by:		FreeBSD Foundation
Obtained from:		NetBSD (bits of pfil.h and pfil.c)
2003-09-23 17:54:04 +00:00
Matthew N. Dodd
2049fdeefd Enable IPv6 for Token Ring. 2003-09-14 02:32:31 +00:00
Bill Paul
dcdc6667ce The in6_ifattach() routine contains the following code:
in6_pcbpurgeif0(LIST_FIRST(udbinfo.listhead), ifp);
        in6_pcbpurgeif0(LIST_FIRST(ripcbinfo.listhead), ifp);

The problem here is that udbinfo.listhead and ripcbinfo.listhead are
not initialized during the device probe/attach phase of the kernel
boot process. So if, for example, a network driver calls ether_ifattach()
in its foo_attach() routine and then decides that something is wrong
and calls ether_ifdetach() to reverse the process, we will panic trying
to dereference the uninitialized list head pointers. (Though the
same sequence of events performed after the kernel has come up works
file, i.e. doing kldload if_foo from multiuser.)

Change this to:

        if (udbinfo.listhead != NULL)
                in6_pcbpurgeif0(LIST_FIRST(udbinfo.listhead), ifp);
        if (ripcbinfo.listhead != NULL)
                in6_pcbpurgeif0(LIST_FIRST(ripcbinfo.listhead), ifp);

to avoid the NULL pointer dereferences.
2003-09-13 22:34:52 +00:00
Ruslan Ermilov
78f94aa951 Fix a bunch of off-by-one errors in the range checking code. 2003-09-11 21:40:21 +00:00
Hajimu UMEMOTO
07cf047d5a introduced a flag bit "ND6_IFF_ACCEPT_RTADV" in the nd_ifinfo structure to
control whether to accept RAs per-interface basis.
the new stuff ensures the backward compatibility;
- the kernel does not accept RAs on any interfaces by default.
- since the default value of the flag bit is on, the kernel accepts RAs
  on all interfaces when net.inet6.ip6.accept_rtadv is 1.

Obtained from:	KAME
MFC after:	1 week
2003-08-05 14:57:11 +00:00
Hajimu UMEMOTO
6a2a90b794 Cleanup useless break.
Submitted by:	JINMEI Tatuya <jinmei@isl.rdc.toshiba.co.jp>
2003-07-29 14:10:13 +00:00
Hajimu UMEMOTO
c2ada8f1de ip6fw does not handle ESP correctly
PR:		kern/54874
Submitted by:	JINMEI Tatuya <jinmei@shuttle.wide.toshiba.co.jp>
MFC after:	1 week
2003-07-27 16:21:10 +00:00
Olivier Houchard
56e6821e56 Do not attempt to access to inp_socket fields if the socket is in the TIME_WAIT
state, as inp_socket will then be NULL. This fixes a panic that occurs when one
tries to bind a port that was previously binded with remaining TIME_WAIT
sockets.
2003-06-17 00:31:30 +00:00
Matthew N. Dodd
e97c58c8cf Add definitions for IN6ADDR_LINKLOCAL_ALLMDNS_INIT and INADDR_ALLMDNS_GROUP. 2003-04-29 22:03:46 +00:00
SUZUKI Shinsuke
77d43daef8 panic() doesn't need \n
Obtained from: KAME
MFC after: 2 days
2003-04-29 08:43:56 +00:00
SUZUKI Shinsuke
e806243686 sync with the latest KAME (just a cosmetic change)
MFC after: 1 day
2003-04-28 08:21:57 +00:00
David E. O'Brien
152385d122 Explicitly declare 'int' parameters. 2003-04-21 16:27:46 +00:00
SUZUKI Shinsuke
db06e8a0dd fixed a mbuf leak when an IP packet from ESP tunnel is redirected
obtained from:	KAME
2003-03-29 08:31:28 +00:00
Hajimu UMEMOTO
11f3a6e295 made sure to keep the current stored lifetime when it was not updated
by an RA.
(a detailed description of this issue is found at the following URL.)
http://www.tahi.org/report/freebsd/freebsd48-rc2-20030316/host/lcna-stateless-addrconf/38.html

Reported by:	Ozoe Nobumichi <ozoe@tahi.org>
		through a periodic TAHI test
Submitted by:	JINMEI Tatuya <jinmei@isl.rdc.toshiba.co.jp>
Obtained from:	KAME
2003-03-26 17:37:35 +00:00
Sam Leffler
9adc8e4d75 correct malloc flag argument
Reported by:	Kris Kennaway <kris@obsecurity.org>
2003-03-12 06:08:48 +00:00
Jonathan Lemon
1cafed3941 Update netisr handling; Each SWI now registers its queue, and all queue
drain routines are done by swi_net, which allows for better queue control
at some future point.  Packets may also be directly dispatched to a netisr
instead of queued, this may be of interest at some installations, but
currently defaults to off.

Reviewed by: hsu, silby, jayanth, sam
Sponsored by: DARPA, NAI Labs
2003-03-04 23:19:55 +00:00
Jonathan Lemon
060958481a Fix another case for timewait. 2003-02-24 02:06:50 +00:00
Jonathan Lemon
8608c4c1f9 Remove unused variables in the IPSEC case.
Submitted by:  Lars Eggert <larse@ISI.EDU>
2003-02-20 18:22:21 +00:00
Jonathan Lemon
340c35de6a Add a TCP TIMEWAIT state which uses less space than a fullblown TCP
control block.  Allow the socket and tcpcb structures to be freed
earlier than inpcb.  Update code to understand an inp w/o a socket.

Reviewed by: hsu, silby, jayanth
Sponsored by: DARPA, NAI Labs
2003-02-19 22:32:43 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Sam Leffler
5c47350dad M_MOVE_PKTHDR must happen before any cluster is attached
Submitted by:	Harti Brandt <brandt@fokus.fraunhofer.de>
MFC after:	1 day
2003-02-18 06:20:16 +00:00
Alfred Perlstein
8deebb0160 Consolidate MIN/MAX macros into one place (param.h).
Submitted by: Hiten Pandya <hiten@unixdaemons.com>
2003-02-02 13:17:30 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Hajimu UMEMOTO
a5c8d51908 "struct route" is not sufficient. NetBSD PR 18751
Obtained from:	KAME
MFC after:	1 days
2003-01-08 17:59:24 +00:00
Sam Leffler
53d96a08a4 don't reference a pkthdr after M_MOVE_PKTHDR has "remove it"; instead
reference the pkthdr now in the destination of the move

Sponsored by:	Vernier Networks
2003-01-06 21:33:54 +00:00
Sam Leffler
0e7dea8326 purge extraneous clears of M_PKTHDR since M_MOVE_PKTHDR does this already 2003-01-06 21:29:27 +00:00
Mike Barcroft
f08294ced0 Bah, just use %zu for printing size_t. 2003-01-06 16:31:39 +00:00
Mike Barcroft
ea4c7ada01 Cast return values of sizeof() to int so they can be printed with %d.
The size of this struct is unlikely to ever grow beyond what an int
can represent.

Noticed by:	alpha tinderbox
2003-01-06 04:33:46 +00:00
Sam Leffler
2268ca475b correct pkthdr length calculation for ipv6 echo packets; after moving a packet
header with M_MOVE_PKTHDR one should not reference the packet header in the
original packet; in this case the code was assuming that m_adj would alter
m_pkthdr.len which stopped happening because M_MOVE_PKTHDR removes the
M_PKTHDR bit from m_flags

Submitted by:	Bill Fenner <fenner@research.att.com>
2003-01-05 22:37:36 +00:00
Jens Schweikhardt
9d5abbddbf Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,
especially in troff files.
2003-01-01 18:49:04 +00:00
Jens Schweikhardt
d64ada501a Fix typos, mostly s/ an / a / where appropriate and a few s/an/and/
Add FreeBSD Id tag where missing.
2002-12-30 21:18:15 +00:00
Sam Leffler
9967cafc49 Correct mbuf packet header propagation. Previously, packet headers
were sometimes propagated using M_COPY_PKTHDR which actually did
something between a "move" and a  "copy" operation.  This is replaced
by M_MOVE_PKTHDR (which copies the pkthdr contents and "removes" it
from the source mbuf) and m_dup_pkthdr which copies the packet
header contents including any m_tag chain.  This corrects numerous
problems whereby mbuf tags could be lost during packet manipulations.

These changes also introduce arguments to m_tag_copy and m_tag_copy_chain
to specify if the tag copy work should potentially block.  This
introduces an incompatibility with openbsd which we may want to revisit.

Note that move/dup of packet headers does not handle target mbufs
that have a cluster bound to them.  We may want to support this;
for now we watch for it with an assert.

Finally, M_COPYFLAGS was updated to include M_FIRSTFRAG|M_LASTFRAG.

Supported by:	Vernier Networks
Reviewed by:	Robert Watson <rwatson@FreeBSD.org>
2002-12-30 20:22:40 +00:00
Ruslan Ermilov
71eba91593 If the caller of rtrequest*(RTM_DELETE, ...) asked for a copy of
the entry being removed (ret_nrt != NULL), increment the entry's
rt_refcnt like we do it for RTM_ADD and RTM_RESOLVE, rather than
messing around with 1->0 transitions for rtfree() all over.
2002-12-25 10:21:02 +00:00
Jeffrey Hsu
956b0b653c SMP locking for radix nodes. 2002-12-24 03:03:39 +00:00
Jeffrey Hsu
b30a244c34 SMP locking for ifnet list. 2002-12-22 05:35:03 +00:00
Sam Leffler
69f05a0761 define HAVE_PPSRATECHECK now that we have this stuff in the kernel
(probably belongs elsewhere; add it this way for now so the system
will build)
2002-12-20 23:57:22 +00:00
Bosko Milekic
86fea6be59 o Untangle the confusion with the malloc flags {M_WAITOK, M_NOWAIT} and
the mbuf allocator flags {M_TRYWAIT, M_DONTWAIT}.
o Fix a bpf_compat issue where malloc() was defined to just call
  bpf_alloc() and pass the 'canwait' flag(s) along.  It's been changed
  to call bpf_alloc() but pass the corresponding M_TRYWAIT or M_DONTWAIT
  flag (and only one of those two).

Submitted by: Hiten Pandya <hiten@unixdaemons.com> (hiten->commit_count++)
2002-12-19 22:58:27 +00:00
Jeffrey Hsu
19fc74fb60 Lock up ifaddr reference counts. 2002-12-18 11:46:59 +00:00
SUZUKI Shinsuke
6645ef44ad fixed a bug that IPv6 multicast packet is not forwarded if its packet size is equal to the outgoing interface's MTU
Approved by: re
Obtained from: KAME
MFC after: 3 days
2002-12-16 01:41:07 +00:00
Hajimu UMEMOTO
35f6695bb2 plugged memory leakage in some erroneous cases
Obtained from:	KAME
MFC after:	1 week
2002-10-31 19:45:48 +00:00
Hajimu UMEMOTO
b6e2845324 last arg of in6?_gif_output() is not used any more.
Obtained from:	KAME
MFC after:	3 weeks
2002-10-17 17:47:55 +00:00
Hajimu UMEMOTO
ab94625826 use encapcheck.
Obtained from:	KAME
MFC after:	3 weeks
2002-10-16 20:16:49 +00:00
Hajimu UMEMOTO
9426aedf7f - after gif_set_tunnel(), psrc/pdst may be null. set IFF_RUNNING accordingly.
- set IFF_UP on SIOCSIFADDR.  be consistent with others.
- set if_addrlen explicitly (just in case)
- multi destination mode is long gone.
- missing break statement
- add gif_set_tunnel(), so that we can set tunnel address from within the
  kernel at ease.
- encap_attach/detach dynamically on ioctls
- move encap_attach() to dedicated function in in*_gif.c

Obtained from:	KAME
MFC after:	3 weeks
2002-10-16 19:49:37 +00:00
Sam Leffler
b9234fafa0 Tie new "Fast IPsec" code into the build. This involves the usual
configuration stuff as well as conditional code in the IPv4 and IPv6
areas.  Everything is conditional on FAST_IPSEC which is mutually
exclusive with IPSEC (KAME IPsec implmentation).

As noted previously, don't use FAST_IPSEC with INET6 at the moment.

Reviewed by:	KAME, rwatson
Approved by:	silence
Supported by:	Vernier Networks
2002-10-16 02:25:05 +00:00
Sam Leffler
5d84645305 Replace aux mbufs with packet tags:
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
  ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
  use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
  inpcb parameter to ip_output and ip6_output to allow the IPsec code to
  locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version

Reviewed by:	julian, luigi (silent), -arch, -net, darren
Approved by:	julian, silence from everyone else
Obtained from:	openbsd (mostly)
MFC after:	1 month
2002-10-16 01:54:46 +00:00
Alfred Perlstein
ebc82cbbf0 s/__attribute__((__packed__))/__packed/g 2002-09-23 06:25:08 +00:00
Crist J. Clark
784d7650f7 Lock the sysctl(8) knobs that turn ip{,6}fw(8) firewalling and
firewall logging on and off when at elevated securelevel(8). It would
be nice to be able to only lock these at securelevel >= 3, like rules
are, but there is no such functionality at present. I don't see reason
to be adding features to securelevel(8) with MAC being merged into 5.0.

PR:		kern/39396
Reviewed by:	luigi
MFC after:	1 week
2002-08-25 03:50:29 +00:00
Hajimu UMEMOTO
0731a74b08 check packet length before fetching ESP crypto checksum.
Obtained from:	KAME
MFC after:	2 days
2002-08-24 04:48:13 +00:00
Archie Cobbs
4a6a94d8d8 Replace (ab)uses of "NULL" where "0" is really meant. 2002-08-22 21:24:01 +00:00
Mike Barcroft
abbd890233 o Merge <machine/ansi.h> and <machine/types.h> into a new header
called <machine/_types.h>.
o <machine/ansi.h> will continue to live so it can define MD clock
  macros, which are only MD because of gratuitous differences between
  architectures.
o Change all headers to make use of this.  This mainly involves
  changing:
    #ifdef _BSD_FOO_T_
    typedef	_BSD_FOO_T_	foo_t;
    #undef _BSD_FOO_T_
    #endif
  to:
    #ifndef _FOO_T_DECLARED
    typedef	__foo_t	foo_t;
    #define	_FOO_T_DECLARED
    #endif

Concept by:	bde
Reviewed by:	jake, obrien
2002-08-21 16:20:02 +00:00
Don Lewis
26ef6ac4df Create new functions in_sockaddr(), in6_sockaddr(), and
in6_v4mapsin6_sockaddr() which allocate the appropriate sockaddr_in*
structure and initialize it with the address and port information passed
as arguments.  Use calls to these new functions to replace code that is
replicated multiple times in in_setsockaddr(), in_setpeeraddr(),
in6_setsockaddr(), in6_setpeeraddr(), in6_mapped_sockaddr(), and
in6_mapped_peeraddr().  Inline COMMON_END in tcp_usr_accept() so that
we can call in_sockaddr() with temporary copies of the address and port
after the PCB is unlocked.

Fix the lock violation in tcp6_usr_accept() (caused by calling MALLOC()
inside in6_mapped_peeraddr() while the PCB is locked) by changing
the implementation of tcp6_usr_accept() to match tcp_usr_accept().

Reviewed by:	suz
2002-08-21 11:57:12 +00:00
Juli Mallett
ded7008a07 Enclose IPv6 addresses in brackets when they are displayed printable with a
TCP/UDP port seperated by a colon.  This is for the log_in_vain facility.

Pointed out by:	Edward J. M. Brocklesby
Reviewed by:	ume
MFC after:	2 weeks
2002-08-19 19:47:13 +00:00
Maxim Sobolev
62f7648682 Increase size of ifnet.if_flags from 16 bits (short) to 32 bits (int). To avoid
breaking application ABI use unused ifreq.ifru_flags[1] for upper 16 bits in
SIOCSIFFLAGS and SIOCGIFFLAGS ioctl's.

Reviewed by:	-hackers, -net
2002-08-18 07:05:00 +00:00
Robert Watson
4b32dfdcd7 Introduce support for Mandatory Access Control and extensible
kernel access control.

When generating nd6 output on an interface, label the packet
appropriately.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-02 20:49:14 +00:00
Hajimu UMEMOTO
7b79862463 correct comment for setsockopt arg size.
Reported by:	Martin Laabs <martin@martin.erfurt.thur.de>
Obtained from:	KAME
MFC after:	1 week
2002-07-25 20:40:09 +00:00
Hajimu UMEMOTO
eccb7001ee cleanup usage of ip6_mapped_addr_on and ip6_v6only. now,
ip6_mapped_addr_on is unified into ip6_v6only.

MFC after:	1 week
2002-07-25 17:40:45 +00:00
Hajimu UMEMOTO
dcaecffe69 Change the default setting of an IPv4-mapped IPv6 address to off.
Requested by:	many people
2002-07-25 15:44:01 +00:00
Hajimu UMEMOTO
1225379557 make sure to set/unset INP_IPV4 according to a value
of IN6P_IPV6_V6ONLY

Reviewed by:	Keiichi SHIMA <keiichi@iij.ad.jp>
2002-07-24 19:19:53 +00:00
Hajimu UMEMOTO
854d3b19a2 do not refer to IN6P_BINDV6ONLY anymore.
Obtained from:	KAME
MFC after:	1 week
2002-07-22 15:51:02 +00:00