Commit Graph

3058 Commits

Author SHA1 Message Date
Bjoern A. Zeeb
b835b6fe2b Take the route mtu into account, if available, when sending an
ICMP unreach, frag needed.  Up to now we only looked at the
interface MTU. Make sure to only use the minimum of the two.

In case IPSEC is compiled in, loop the mtu through ip_ipsec_mtu()
to avoid any further conditional maths.

Without this, PMTU was broken in those cases when there was a
route with a lower MTU than the MTU of the outgoing interface.

PR:		kern/122338
Tested by:	Mark Cammidge  mark peralex.com
Reviewed by:	silence on net@
MFC after:	2 weeks
2008-04-09 05:17:18 +00:00
Andre Oppermann
3a4018c4e8 Remove TCP options ordering assumptions in tcp_addoptions(). Ordering
was changed in rev. 1.161 of tcp_var.h.  All option now test for sufficient
space in TCP header before getting added.

Reported by:	Mark Atkinson <atkin901-at-yahoo.com>
Tested by:	Mark Atkinson <atkin901-at-yahoo.com>
MFC after:	1 week
2008-04-07 19:09:23 +00:00
Andre Oppermann
5b2e33eab5 Remove now unnecessary comment. 2008-04-07 18:50:05 +00:00
Andre Oppermann
c343c524e1 Use #defines for TCP options padding after EOL to be consistent.
Reviewed by:	bz
2008-04-07 18:43:59 +00:00
Robert Watson
7a3244ccb7 Add further TCP inpcb locking assertions to some TCP input code paths.
MFC after:	1 month
2008-04-07 12:41:45 +00:00
Robert Watson
f457d58098 In in_pcbnotifyall() and in6_pcbnotify(), use LIST_FOREACH_SAFE() and
eliminate unnecessary local variable caching of the list head pointer,
making the code a bit easier to read.

MFC after:	3 weeks
2008-04-06 21:20:56 +00:00
Ruslan Ermilov
ea26d58729 Replaced the misleading uses of a historical artefact M_TRYWAIT with M_WAIT.
Removed dead code that assumed that M_TRYWAIT can return NULL; it's not true
since the advent of MBUMA.

Reviewed by:	arch

There are ongoing disputes as to whether we want to switch to directly using
UMA flags M_WAITOK/M_NOWAIT for mbuf(9) allocation.
2008-03-25 09:39:02 +00:00
Kip Macy
e79dd20dd5 change inp_wlock_assert to inp_lock_assert 2008-03-24 20:24:04 +00:00
Kip Macy
8815ab518a Label inp as unused in the non-INVARIANTS case 2008-03-24 00:29:01 +00:00
Kip Macy
3d5853271e Insulate inpcb consumers outside the stack from the lock type and offset within the pcb by adding accessor functions.
Reviewed by: rwatson
MFC after: 3 weeks
2008-03-23 22:34:16 +00:00
Paolo Pisati
63bea44682 Explicitate the newpacket size.
Bug pointed out by: many
Pointy hat to: me :(
2008-03-19 11:28:13 +00:00
Paolo Pisati
8368edc123 Don't cache ptr to nat rule in case of tablearg argument.
Bug spotted by: Dyadchenko Mihail
2008-03-17 23:02:56 +00:00
Paolo Pisati
f6efbc8842 Don't abuse stack space while in kernel land, use heap instead. 2008-03-17 22:08:31 +00:00
Robert Watson
c2877015a1 Fix indentation for a closing brace in in_pcballoc().
MFC after:	3 days
2008-03-17 13:04:56 +00:00
Bjoern A. Zeeb
9e3bdede0f Correct IPsec behaviour with a 'use' level in SP but no SA available.
In that case return an continue processing the packet without IPsec.

PR:		121384
MFC after:	5 days
Reported by:	Cyrus Rahman (crahman gmail.com)
Tested by:	Cyrus Rahman (crahman gmail.com) [slightly older version]
2008-03-14 16:38:11 +00:00
Paolo Pisati
ab0fcfd00a -Don't pass down the entire pkt to ProtoAliasIn, ProtoAliasOut, FragmentIn
and FragmentOut.
-Axe the old PacketAlias API: it has been deprecated since 5.x.
2008-03-12 11:58:29 +00:00
Bjoern A. Zeeb
413deb1262 Padding after EOL option must be zeros according to RFC793 but
the NOPs used are 0x01.
While we could simply pad with EOLs (which are 0x00), rather use an
explicit 0x00 constant there to not confuse poeple with 'EOL padding'.
Put in a comment saying just that.

Problem discussed on:	src-committers with andre, silby, dwhite as
			follow up to the rev. 1.161 commit of tcp_var.h.
MFC after:		11 days
2008-03-09 13:26:50 +00:00
Paolo Pisati
4741f3a109 MFP4:
restrict the utilization of direct pointers to the content of
	ip packet. These modifications are functionally nop()s thus
	can be merged with no side effects.
2008-03-06 21:50:41 +00:00
Rui Paulo
1cf6e4f5ff Change the default port range for outgoing connections by introducing
IPPORT_EPHEMERALFIRST and IPPORT_EPHEMERALLAST with values
10000 and 65535 respectively.
The rationale behind is that it makes the attacker's life more
difficult if he/she wants to guess the ephemeral port range and
also lowers the probability of a port colision (described in
draft-ietf-tsvwg-port-randomization-01.txt).

While there, remove code duplication in in_pcbbind_setup().

Submitted by:	Fernando Gont <fernando at gont.com.ar>
Approved by:	njl (mentor)
Reviewed by:	silby, bms
Discussed on:	freebsd-net
2008-03-04 19:16:21 +00:00
Paolo Pisati
31937d2fb0 When unloading kld, don't forget to flush the nat pointers. 2008-03-03 22:32:01 +00:00
Paolo Pisati
2b40ce00a5 Raise a bit ipfw kld priority.
Discussed on: net-, ipfw-.
2008-03-03 10:12:46 +00:00
Bjoern A. Zeeb
c3b02504bc Some "cleanup" of tcp_mss():
- Move the assigment of the socket down before we first need it.
  No need to do it at the beginning and then drop out the function
  by one of the returns before using it 100 lines further down.
- Use t_maxopd which was assigned the "tcp_mssdflt" for the corrrect
  AF already instead of another #ifdef ? : #endif block doing the same.
- Remove an unneeded (duplicate) assignment of mss to t_maxseg just before
  we possibly change mss and re-do the assignment without using t_maxseg
  in between.

Reviewed by:	silby
No objections:	net@ (silence)
MFC after:	5 days
2008-03-02 08:40:47 +00:00
Bjoern A. Zeeb
af92e6cf95 Fix indentation (whitespace changes only).
MFC after:	6 days
2008-03-01 22:27:15 +00:00
Paolo Pisati
531c890b8a Move ipfw's nat code into its own kld: ipfw_nat. 2008-02-29 22:27:19 +00:00
David Malone
2b2c3b23d1 Dummynet has a limit of 100 slots queue size (or 1MB, if you give
the limit in bytes) hard coded into both the kernel and userland.
Make both these limits a sysctl, so it is easy to change the limit.
If the userland part of ipfw finds that the sysctls don't exist,
it will just fall back to the traditional limits.

(100 packets is quite a small limit these days. If you want to test
TCP at 100Mbps, 100 packets can only accommodate a DBP of 12ms.)

Note these sysctls in the man page and warn against increasing them
without thinking first.

MFC after:      3 weeks
2008-02-27 13:52:33 +00:00
Paolo Pisati
f94a7fc0b5 Add table/tablearg support to ipfw's nat.
MFC After: 1 week
2008-02-24 15:37:45 +00:00
Mike Silbersack
ea346b19cc Change FreeBSD 7 so that it returns TCP options in
the same order that FreeBSD 6 and before did.  Doug
White and the other bloodhounds at ISC discovered that
while FreeBSD 7's ordering of options was more efficient,
it caused some cable modem routers to ignore the
SYN-ACKs ordered in this fashion.

The placement of sackOK after the timestamp option seems
to be the critical difference:

FreeBSD 6:
<mss 1460,nop,wscale 1,nop,nop,timestamp 3512155768 0,sackOK,eol>

FreeBSD 7.0:
<mss 1460,nop,wscale 3,sackOK,timestamp 1370692577 0>

FreeBSD 7.0 + this change:
<mss 1460,nop,wscale 3,nop,nop,timestamp 7371813 0,sackOK,eol>

MFC after: 1 week
2008-02-24 05:13:20 +00:00
Randall Stewart
7a846e9ad8 Fixes a memory leak when VRF's are in play.
Submitted by:	Prasad Narasimha (snprasad@cisco.com)
Reviewed by:	rrs
2008-02-22 15:08:10 +00:00
Randall Stewart
69d5ee4f23 - Takes out stray ifdef code that should not have been present. 2008-02-22 15:06:25 +00:00
Gleb Smirnoff
e60a0104f8 If the vhid already present, return EEXIST instead of
non-informative EINVAL.
2008-02-07 13:18:59 +00:00
Gleb Smirnoff
3a2f50140c Remove unused structure member from struct in_ifadown_arg. 2008-02-07 11:26:52 +00:00
Mike Silbersack
361021cc6e Replace the random IP ID generation code we
obtained from OpenBSD with an algorithm suggested
by Amit Klein.  The OpenBSD algorithm has a few
flaws; see Amit's paper for more information.

For a description of how this algorithm works,
please see the comments within the code.

Note that this commit does not yet enable random IP ID
generation by default.  There are still some concerns
that doing so will adversely affect performance.

Reviewed by:  rwatson
MFC After: 2 weeks
2008-02-06 15:40:30 +00:00
Bjoern A. Zeeb
c26fe973a3 Rather than passing around a cached 'priv', pass in an ucred to
ipsec*_set_policy and do the privilege check only if needed.

Try to assimilate both ip*_ctloutput code blocks calling ipsec*_set_policy.

Reviewed by:	rwatson
2008-02-02 14:11:31 +00:00
Robert Watson
265de5bb62 Correct two problems relating to sorflush(), which is called to flush
read socket buffers in shutdown() and close():

- Call socantrcvmore() before sblock() to dislodge any threads that
  might be sleeping (potentially indefinitely) while holding sblock(),
  such as a thread blocked in recv().

- Flag the sblock() call as non-interruptible so that a signal
  delivered to the thread calling sorflush() doesn't cause sblock() to
  fail.  The sblock() is required to ensure that all other socket
  consumer threads have, in fact, left, and do not enter, the socket
  buffer until we're done flushin it.

To implement the latter, change the 'flags' argument to sblock() to
accept two flags, SBL_WAIT and SBL_NOINTR, rather than one M_WAITOK
flag.  When SBL_NOINTR is set, it forces a non-interruptible sx
acquisition, regardless of the setting of the disposition of SB_NOINTR
on the socket buffer; without this change it would be possible for
another thread to clear SB_NOINTR between when the socket buffer mutex
is released and sblock() is invoked.

Reviewed by:	bz, kmacy
Reported by:	Jos Backus <jos at catnook dot com>
2008-01-31 08:22:24 +00:00
Randall Stewart
3ca1bceea5 - Fix a comment about prison.
- Fix it so the VRF is captured while locks are held.
MFC after:	1 week
2008-01-28 10:34:38 +00:00
Randall Stewart
bf949ea2d4 - Change back to using prioity 0. Which means don't change the
prioity when running the thread. (this is for the sctp_interator thread).

MFC after:	1 week
2008-01-28 10:33:41 +00:00
Randall Stewart
257438fb6c - Fix a bug where the socket may have been closed which
could cause a crash in the auth code.
Obtained from:	Michael Tuexen
MFC after:	1 week
2008-01-28 10:31:12 +00:00
Randall Stewart
f36d98069e - Fixes a comparison wrap issue with sack gap ack blocks that
span the 32 bit roll over mark.
2008-01-28 10:25:43 +00:00
Robert Watson
bb5081a7eb Hide ipfw internal data structures behind IPFW_INTERNAL rather than
exposing them to all consumers of ip_fw.h.  These structures are
used in both ipfw(8) and ipfw(4), but not part of the user<->kernel
interface for other applications to use, rather, shared
implementation.

MFC after:	3 days
Reported by:	Paul Vixie <paul at vix dot com>
2008-01-25 14:38:27 +00:00
Bjoern A. Zeeb
79ba395267 Replace the last susers calls in netinet6/ with privilege checks.
Introduce a new privilege allowing to set certain IP header options
(hop-by-hop, routing headers).

Leave a few comments to be addressed later.

Reviewed by:	rwatson (older version, before addressing his comments)
2008-01-24 08:25:59 +00:00
Bjoern A. Zeeb
107d12440a Differentiate between addifaddr and delifaddr for the privilege check.
Reviewed by:	rwatson
MFC after:	2 weeks
2008-01-24 08:14:38 +00:00
Robert Watson
109058b094 tcp_usrreq.c:1.313 removed tcbinfo locking from tcp_usr_accept(), which
while in principle a good idea, opened us up to a race inherrent to
the syncache's direct insertion of incoming TCP connections into the
"completed connection" listen queue, as it transpires that the socket
is inserted before the inpcb is fully filled in by syncache_expand().
The bug manifested with the occasional returning of 0.0.0.0:0 in the
address returned by the accept() system call, which occurred if accept
managed to execute tcp_usr_accept() before syncache_expand() had copied
the endpoint addresses into inpcb connection state.

Re-add tcbinfo locking around the address copyout, which has the effect
of delaying the copy until syncache_expand() has finished running, as
it is run while the tcbinfo lock is held.  This is undesirable in that
it increases contention on tcbinfo further, but a more significant
change will be required to how the syncache inserts new sockets in
order to fix this and keep more granular locking here.  In particular,
either more state needs to be passed into sonewconn() so that
pru_attach() can fill in the fields *before* the socket is inserted, or
the socket needs to be inserted in the incomplete connection queue
until it is actually ready to be used.

Reported by:	glebius (and kris)
Tested by:	glebius
2008-01-23 21:15:51 +00:00
Robert Watson
1e8f5ffa35 In tcp_ctloutput(), don't hold the inpcb lock over sooptcopyin(), rather,
drop the lock and then re-acquire it, revalidating TCP connection state
assumptions when we do so.  This avoids a potential lock order reversal
(and potential deadlock, although none have been reported) due to the
inpcb lock being held over a page fault.

MFC after:	1 week
PR:		102752
Reviewed by:	bz
Reported by:	Václav Haisman <v dot haisman at sh dot cvut dot cz>
2008-01-18 12:19:50 +00:00
Julian Elischer
b6ae6984e8 Don't duplicate the whole of arpresolve to arpresolve 2 for the sake
of two compares against 0. The negative effect of cache flushing
is probably more than the gain by not doing the two compares (the
value is almost certainly in register or at worst, cache).
Note that the uses of m_freem() are in error cases and m_freem()
handles NULL anyhow. So fast-path really isn't changed much at all.
2007-12-31 23:48:06 +00:00
Oleg Bulyzhin
5254af0cf1 Workaround p->numbytes overflow, which can result in infinite loop inside
dummynet module (prerequisite is using queues with "fat" pipe).

PR:		kern/113548
2007-12-25 09:36:51 +00:00
Robert Watson
0bffde27b2 When IPSEC fails to allocate policy state for an inpcb, and MAC is in use,
free the MAC label on the inpcb before freeing the inpcb.

MFC after:	3 days
Submitted by:	tanyong <tanyong at ercist dot iscas dot ac dot cn>,
		zhouzhouyi
2007-12-22 10:06:11 +00:00
Ruslan Ermilov
9eb1b6aabb Fix bugs in the TCP syncache timeout code. including:
When system ticks are positive, for entries in the cache
bucket, syncache_timer() ran on every tick (doing nothing
useful) instead of the supposed 3, 6, 12, and 24 seconds
later (when it's time to retransmit SYN,ACK).

When ticks are negative, syncache_timer() was scheduled
for the too far future (up to ~25 days on systems with
HZ=1000), no SYN,ACK retransmits were attempted at all,
and syncache entries added in that period that correspond
to non-established connections stay there forever.

Only HEAD and RELENG_7 are affected.

Reviewed by:	silby, kmacy (earlier version)
Submitted by:	Maxim Dounin, ru
2007-12-19 16:56:28 +00:00
Kip Macy
d29a9a83fd Remove extraneous debug statements.
Noticed by: Andrey Chernov
2007-12-19 05:17:40 +00:00
Kip Macy
bc65987ade Incorporate TCP offload hooks in to core TCP code.
- Rename output routines tcp_gen_* -> tcp_output_*.
  - Rename notification routines that turn in to no-ops in the absence of TOE
    from tcp_gen_* -> tcp_offload_*.
  - Fix some minor comment nits.
  - Add a /* FALLTHROUGH */

Reviewed by: Sam Leffler, Robert Watson, and Mike Silbersack
2007-12-18 22:59:07 +00:00
Randall Stewart
83073fcba3 - sctp-iterator should run at PI_NET priority ...not 0.
MFC after:	1 week
2007-12-18 01:24:15 +00:00