Commit Graph

5168 Commits

Author SHA1 Message Date
Michael Tuexen
29b9533b43 Export the ssthresh value per SCTP path via the sysctl interface.
MFC after: 1 month
2015-07-07 06:34:28 +00:00
Ermal Luçi
d14122b078 Avoid doing multiple route lookups for the same destination IP during forwarding
ip_forward() does a route lookup for testing this packet can be sent to a known destination,
it also can do another route lookup if it detects that an ICMP redirect is needed,
it forgets all of this and handovers to ip_output() to do the same lookup yet again.

This optimisation just does one route lookup during the forwarding path and handovers that to be considered by ip_output().

Differential Revision:	https://reviews.freebsd.org/D2964
Approved by:	ae, gnn(mentor)
MFC after:	1 week
2015-07-02 18:10:41 +00:00
Navdeep Parhar
9523d1bfc3 Fix leak in tcp_lro_rx. Simply clearing M_PKTHDR isn't enough, any tags
hanging off the header need to be freed too.

Differential Revision:	https://reviews.freebsd.org/D2708
Reviewed by:	ae@, hiren@
2015-06-30 17:19:58 +00:00
Hiren Panchasara
f85680793b Avoid a situation where we do not set persist timer after a zero window
condition.
If you send a 0-length packet, but there is data is the socket buffer, and
neither the rexmt or persist timer is already set, then activate the persist
timer.

PR:			192599
Differential Revision:	D2946
Submitted by:		jlott at averesystems dot com
Reviewed by:		jhb, jch, gnn, hiren
Tested by:		jlott at averesystems dot com, jch
MFC after:		2 weeks
2015-06-29 21:23:54 +00:00
Hiren Panchasara
4c3972f0af Reverting r284710.
Today I learned: iff == if and only if.

Suggested by: many
2015-06-22 22:16:06 +00:00
Hiren Panchasara
26f2eb6979 Fix a typo: s/iff/if/
Sponsored by:	    Limelight Networks
2015-06-22 21:53:55 +00:00
Michael Tuexen
bb2dc69f9a Fix two KTRACE related bugs.
Reported by:	Coverity
CID:		1018058, 1018060

MFC after:	3 days
2015-06-19 21:55:12 +00:00
Michael Tuexen
5de07f524d When setting the primary address, return an error whenever it fails.
MFC after: 3 days
2015-06-19 12:48:22 +00:00
Andrey V. Elsukov
efb5228ce8 Fix possible use after free in encap[46]_input().
There is small window, when encap_detach() can free matched entry
directly after we release encapmtx. Instead of use pointer to the
matched entry, save pointers to needed variables from this entry
and use them after release mutex.

Pass argument stored in the encaptab entry to encap_fillarg(), instead
of pointer to matched entry. Also do not allocate new mbuf tag, when
argument that we plan to save in this tag is NULL.

Also make encaptab variable static.

Obtained from:	Yandex LLC
Sponsored by:	Yandex LLC
2015-06-18 18:28:38 +00:00
Michael Tuexen
5fe29cdf20 Fix a bug related to flow assignment I introduce in
https://svnweb.freebsd.org/base?view=revision&revision=275483

MFC after: 3 days
2015-06-17 19:26:23 +00:00
Michael Tuexen
d089f9b915 Add FIB support for SCTP.
This fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200379

MFC after: 3 days
2015-06-17 15:20:14 +00:00
Ermal Luçi
f0516b3c96 If there is a system with a bpf consumer running and a packet is wanted
to be transmitted but the arp cache entry expired, which triggers an arp request
to be sent, the bpf code might want to sleep but crash the system due
to a non sleep lock held from the arp entry not released properly.

Release the lock before calling the arp request code to solve the issue
as is done on all the other code paths.

PR:	200323
Approved by: ae, gnn(mentor)
MFC after:	1 week
Sponsored by:	Netgate
Differential Revision:	https://reviews.freebsd.org/D2828
2015-06-17 12:23:04 +00:00
Michael Tuexen
790a758db8 Correctly detect the case where the last address is removed.
MFC after: 3 days
2015-06-14 22:14:00 +00:00
Michael Tuexen
8e4844dc49 Stop the heartbeat timer when removing a net.
Thanks to the reporter of
https://code.google.com/p/sctp-refimpl/issues/detail?id=14
for reporting the issue.

MFC after: 3 days
2015-06-14 17:48:44 +00:00
Michael Tuexen
75cf6fb38e Fix the reporting of the PMTUD state for specific paths.
MFC after: 3 days
2015-06-12 18:59:29 +00:00
Michael Tuexen
9cbf1815c0 Code cleanup.
MFC after: 3 days
2015-06-12 17:20:09 +00:00
Michael Tuexen
a6a7d5cf0d In case of an output error, continue with the next net, don't try to
continue sending on the same net.

This fixes a bug where an invalid mbuf chain was constructed, if a
full size frame of control chunks should be sent and there is a
output error.

Based on a discussion with rrs@, change move to the next net. This fixes
the bug and improves the behaviour.

Thanks to Irene Ruengeler for spending a lot of time in narrowing this
problem down.
MFC after: 3 days
2015-06-12 16:01:41 +00:00
Julien Charbon
cad814eedf Fix a callout race condition introduced in TCP timers callouts with r281599.
In TCP timer context, it is not enough to check callout_stop() return value
to decide if a callout is still running or not, previous callout_reset()
return values have also to be checked.

Differential Revision:	https://reviews.freebsd.org/D2763
Reviewed by:		hiren
Approved by:		hiren
MFC after:		1 day
Sponsored by:		Verisign, Inc.
2015-06-10 20:43:07 +00:00
Michael Tuexen
0694a1bc74 Export a pointer to the SCTP socket. This is needed to add SCTP support
to sockstat.

MFC after: 3 days
2015-06-04 12:46:56 +00:00
Michael Tuexen
c06184c814 Remove printf() noise...
MFC after: 3 days
2015-05-29 08:31:15 +00:00
Michael Tuexen
c913390df3 Report the MTU consistently as specified in
https://tools.ietf.org/html/rfc6458
Thanks to Irene Ruengeler for helping me to fix this bug.
MFC after: 3 days
2015-05-28 20:33:28 +00:00
Michael Tuexen
0818979a3c Take source and destination address into account when determining
the scope.
This fixes a problem when a client with a global address
connects to a server with a private address.
Thanks to Irene Ruengeler in helping me to find the issue.

MFC after: 3 days
2015-05-28 19:28:08 +00:00
Michael Tuexen
d60568d78a Retire SCTP_DONT_DO_PRIVADDR_SCOPE which was never defined.
MFC after: 3 days
2015-05-28 18:52:32 +00:00
Michael Tuexen
70fa550b45 Fix a bug where messages would not be sent in SHUTDOWN_RECEIVED state.
This problem was reported by Mark Bonnekessel and Markus Boese.
Thanks to Irene Ruengeler for helping me to fix the cause of
the problem. It can be tested with the following packetdrill script:

+0.0 socket(..., SOCK_STREAM, IPPROTO_SCTP) = 3
+0.0 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
+0.0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
// Check the handshake with an empty(!) cookie
+0.1 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress)
+0.0 > sctp: INIT[flgs=0, tag=1, a_rwnd=..., os=..., is=..., tsn=0, ...]
+0.1 < sctp: INIT_ACK[flgs=0, tag=2, a_rwnd=10000, os=1, is=1, tsn=0, STATE_COOKIE[len=4, val=...]]
+0.0 > sctp: COOKIE_ECHO[flgs=0, len=4, val=...]
+0.1 < sctp: COOKIE_ACK[flgs=0]
+0.0 getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
+0.0 write(3, ..., 1024) = 1024
+0.0 > sctp: DATA[flgs=BE, len=1040, tsn=0, sid=0, ssn=0, ppid=0]
+0.0 write(3, ..., 1024) = 1024 // Pending due to Nagle
+0.0 < sctp: SHUTDOWN[flgs=0, cum_tsn=0]
+0.0 > sctp: DATA[flgs=BE, len=1040, tsn=1, sid=0, ssn=1, ppid=0]
+0.0 < sctp: SACK[flgs=0, cum_tsn=1, a_rwnd=10000, gaps=[], dups=[]] // Do we need another SHUTDOWN here?
+0.0 > sctp: SHUTDOWN_ACK[flgs=0]
+0.0 < sctp: SHUTDOWN_COMPLETE[flgs=0]
+0.0 close(3) = 0

MFC after: 3 days
2015-05-28 18:34:02 +00:00
Michael Tuexen
1c7db386c4 Use macros for overhead in a consistent way. No functional change.
Thanks to Irene Ruengeler for suggesting the change.

MFC after: 3 days
2015-05-28 17:57:56 +00:00
Michael Tuexen
ba78590287 Some more debug info cleanup.
MFC after: 3 days
2015-05-28 16:39:22 +00:00
Michael Tuexen
b7d130befc Fix and cleanup the debug information. This has no user-visible changes.
Thanks to Irene Ruengeler for proving a patch.

MFC after: 3 days
2015-05-28 16:00:23 +00:00
Michael Tuexen
548f47a8f1 Address some compiler warnings. No functional change.
MFC after: 3 days
2015-05-28 14:24:21 +00:00
Jung-uk Kim
fd90e2ed54 CALLOUT_MPSAFE has lost its meaning since r141428, i.e., for more than ten
years for head.  However, it is continuously misused as the mpsafe argument
for callout_init(9).  Deprecate the flag and clean up callout_init() calls
to make them more consistent.

Differential Revision:	https://reviews.freebsd.org/D2613
Reviewed by:	jhb
MFC after:	2 weeks
2015-05-22 17:05:21 +00:00
Hiren Panchasara
2645638064 Add a new sysctl net.inet.tcp.hostcache.purgenow=1 to expire and purge all
entries in hostcache immediately.

In collaboration with:	bz, rwatson
MFC after:	1 week
Relnotes:	yes
Sponsored by:	Limelight Networks
2015-05-20 01:08:01 +00:00
Hiren Panchasara
c52102dd25 Correct the wording as we are increasing the window size.
Reviewed by:	jhb
Sponsored by:	Limelight Networks
2015-05-19 19:17:20 +00:00
Andrey V. Elsukov
c1b4f79dfa Add an ability accept encapsulated packets from different sources by one
gif(4) interface. Add new option "ignore_source" for gif(4) interface.
When it is enabled, gif's encapcheck function requires match only for
packet's destination address.

Differential Revision:	https://reviews.freebsd.org/D2004
Obtained from:	Yandex LLC
MFC after:	2 weeks
Sponsored by:	Yandex LLC
2015-05-15 12:19:45 +00:00
Michael Tuexen
fcbbf5af1d Ensure that the COOKIE-ACK can be sent over UDP if the COOKIE-ECHO was
received over UDP.
Thanks to Felix Weinrank for makeing me aware of the problem and to
Irene Ruengeler for providing the fix.

MFC after: 1 week
2015-05-12 08:08:16 +00:00
George V. Neville-Neil
f00543eeab Add a state transition call to show that we have entered TIME_WAIT.
Although this is not important to the rest of the TCP processing
it is a conveneint way to make the DTrace state-transition probe
catch this important state change.

MFC after:	1 week
2015-05-01 12:49:03 +00:00
George V. Neville-Neil
bee68e9400 Move the SIFTR DTrace probe out of the writing thread context
and directly into the place where the data is collected.
2015-04-30 17:43:40 +00:00
George V. Neville-Neil
981ad3ecf9 Brief demo script showing the various values that can be read via
the new SIFTR statically defined tracepoint (SDT).

Differential Revision:	https://reviews.freebsd.org/D2387
Reviewed by:	bz, markj
2015-04-29 17:19:55 +00:00
Alexander V. Chernikov
74b22066b0 Make rule table kernel-index rewriting support any kind of objects.
Currently we have tables identified by their names in userland
with internal kernel-assigned indices. This works the following way:

When userland wishes to communicate with kernel to add or change rule(s),
it makes indexed sorted array of table names
(internally ipfw_obj_ntlv entries), and refer to indices in that
array in rule manipulation.
Prior to committing new rule to the ruleset kernel
a) finds all referenced tables, bump their refcounts and change
 values inside the opcodes to be real kernel indices
b) auto-creates all referenced but not existing tables and then
 do a) for them.

Kernel does almost the same when exporting rules to userland:
 prepares array of used tables in all rules in range, and
 prepends it before the actual ruleset retaining actual in-kernel
 indexes for that.

There is also special translation layer for legacy clients which is
able to provide 'real' indices for table names (basically doing atoi()).

While it is arguable that every subsystem really needs names instead of
numbers, there are several things that should be noted:

1) every non-singleton subsystem needs to store its runtime state
somewhere inside ipfw chain (and be able to get it fast)
2) we can't assume object numbers provided by humans will be dense.

Existing nat implementation (O(n) access and LIST inside chain) is a
good example.

Hence the following:
* Convert table-centric rewrite code to be more generic, callback-based
* Move most of the code from ip_fw_table.c to ip_fw_sockopt.c
* Provide abstract API to permit subsystems convert their objects
  between userland string identifier and in-kernel index.
  (See struct opcode_obj_rewrite) for more details
* Create another per-chain index (in next commit) shared among all subsystems
* Convert current NAT44 implementation to use new API, O(1) lookups,
 shared index and names instead of numbers (in next commit).

Sponsored by:	Yandex LLC
2015-04-27 08:29:39 +00:00
Andrey V. Elsukov
3e92c37f32 Remove now unneded KEY_FREESP() for case when ipsec[46]_process_packet()
returns EJUSTRETURN.

Sponsored by:	Yandex LLC
2015-04-27 01:11:09 +00:00
Andrey V. Elsukov
3d80e82d60 Fix possible use after free due to security policy deletion.
When we are passing mbuf to IPSec processing via ipsec[46]_process_packet(),
we hold one reference to security policy and release it just after return
from this function. But IPSec processing can be deffered and when we release
reference to security policy after ipsec[46]_process_packet(), user can
delete this security policy from SPDB. And when IPSec processing will be
done, xform's callback function will do access to already freed memory.

To fix this move KEY_FREESP() into callback function. Now IPSec code will
release reference to SP after processing will be finished.

Differential Revision:	https://reviews.freebsd.org/D2324
No objections from:	#network
Sponsored by:	Yandex LLC
2015-04-27 00:55:56 +00:00
Michael Tuexen
55f8a4bb1b Don't panic under INVARIANTS when receiving a SACK which cumacks
a TSN never sent.
While there, fix two typos.

MFC after: 1 week
2015-04-26 21:47:15 +00:00
Baptiste Daroussin
c37a0a8285 mdoc: fix rendering issues 2015-04-26 11:39:25 +00:00
Andrey V. Elsukov
1ffc12bc42 Fix possible reference leak.
Sponsored by:	Yandex LLC
2015-04-24 21:05:29 +00:00
Gleb Smirnoff
9c2cd1aa84 Improve carp(4) locking:
- Use the carp_sx to serialize not only CARP ioctls, but also carp_attach()
  and carp_detach().
- Use cif_mtx to lock only access to those the linked list.
- These locking changes allow us to do some memory allocations with M_WAITOK
  and also properly call callout_drain() in carp_destroy().
- In carp_attach() assert that ifaddr isn't attached. We always come here
  with a pristine address from in[6]_control().

Reviewed by:	oleg
Sponsored by:	Nginx, Inc.
2015-04-21 20:25:12 +00:00
Gleb Smirnoff
28ebe80cab Provide functions to determine presence of a given address
configured on a given interface.

Discussed with:	np
Sponsored by:	Nginx, Inc.
2015-04-17 11:57:06 +00:00
Julien Charbon
5571f9cf81 Fix an old and well-documented use-after-free race condition in
TCP timers:
 - Add a reference from tcpcb to its inpcb
 - Defer tcpcb deletion until TCP timers have finished

Differential Revision:	https://reviews.freebsd.org/D2079
Submitted by:		jch, Marc De La Gueronniere <mdelagueronniere@verisign.com>
Reviewed by:		imp, rrs, adrian, jhb, bz
Approved by:		jhb
Sponsored by:		Verisign, Inc.
2015-04-16 10:00:06 +00:00
Adrian Chadd
3e217461e6 Fix RSS build - netisr input / NETISR_IP_DIRECT is used here. 2015-04-15 00:57:21 +00:00
Mateusz Guzik
2574218578 Replace struct filedesc argument in getsock_cap with struct thread
This is is a step towards removal of spurious arguments.
2015-04-11 16:00:33 +00:00
Mateusz Guzik
90f54cbfeb fd: remove filedesc argument from fdclose
Just accept a thread instead. This makes it consistent with fdalloc.

No functional changes.
2015-04-11 15:40:28 +00:00
Xin LI
843b0e5716 Attempt to fix build after 281351 by defining full prototype for the
functions that were moved to ip_reass.c.
2015-04-11 01:06:59 +00:00
Gleb Smirnoff
c047fd1b99 o Use Jenkins hash. With previous hash, for a single source IP address and
sequential IP ID case (e.g. ping -f), distribution fell into 8-10 buckets
  out of 64. With Jenkins hash, distribution is even.
o Add random seed to the hash.

Sponsored by:	Nginx, Inc.
2015-04-10 06:55:43 +00:00