Commit Graph

35656 Commits

Author SHA1 Message Date
Poul-Henning Kamp
2c876e15c8 Be consistent about functions being static.
Spotted by:	FlexeLint.
2002-10-16 09:04:52 +00:00
Guido van Rooij
2f591ab8fe Get rid of checking for ip sec history. It is true that packets are not
supposed to be checked by the firewall rules twice. However, because the
various ipsec handlers never call ip_input(), this never happens anyway.

This fixes the situation where a gif tunnel is encrypted with IPsec. In
such a case, after IPsec processing, the unencrypted contents from the
GIF tunnel are fed back to the ipintrq and subsequently handeld by
ip_input(). Yet, since there still is IPSec history attached, the
packets coming out from the gif device are never fed into the filtering
code.
This fix was sent to Itojun, and he pointed towartds
    http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction.
This patch actually implements what is stated there (specifically:
Packet came from tunnel devices (gif(4) and ipip(4)) will still
go through ipf(4). You may need to identify these packets by
using interface name directive in ipf.conf(5).

Reviewed by:	rwatson
MFC after:	3 weeks
2002-10-16 09:01:48 +00:00
Poul-Henning Kamp
c694310048 FIx misindentation.
Spotted by:	FlexeLint.
2002-10-16 09:00:53 +00:00
Poul-Henning Kamp
1eaae5cbe8 Be consistent about functions being static.
Spotted by:	FlexeLint.
2002-10-16 08:57:14 +00:00
Poul-Henning Kamp
031fd299d7 Be consistent about functions being static.
Spotted by:	FlexeLint.
2002-10-16 08:48:39 +00:00
Poul-Henning Kamp
4d8d520f17 Fix misindentation.
Spotted by:	FlexeLint
2002-10-16 08:45:34 +00:00
Poul-Henning Kamp
a917a136ff Rename struct softc to struct mn_softc. 2002-10-16 08:41:38 +00:00
Poul-Henning Kamp
bc9d8a9a37 Fix comments and one resulting code confusion about the type of the
"command" argument to VOP_IOCTL.

Spotted by:	FlexeLint.
2002-10-16 08:04:11 +00:00
Poul-Henning Kamp
fcf549422d Be consistent about functions being static.
Spotted by:	FlexeLint
2002-10-16 08:00:32 +00:00
Poul-Henning Kamp
4cfe209335 A better solution to avoiding variable sized structs in DEVFS. 2002-10-16 07:51:18 +00:00
Poul-Henning Kamp
c122d758ca #include "opt_devfs.h" to protect against variable sized structures.
Spotted by:	FlexeLint
2002-10-16 07:16:47 +00:00
Justin T. Gibbs
ccbe423c8f Never allow memory mapped I/O in PCI-X mode on controllers that
do not support that configuration.  This should fix problems with
embedded 7902 controllers running in PCI-X mode.
2002-10-16 02:59:03 +00:00
Sam Leffler
9b65723081 correct PCB locking in broadcast/multicast case that was exposed by change
to use udp_append

Reviewed by:	hsu
2002-10-16 02:33:28 +00:00
Sam Leffler
b9234fafa0 Tie new "Fast IPsec" code into the build. This involves the usual
configuration stuff as well as conditional code in the IPv4 and IPv6
areas.  Everything is conditional on FAST_IPSEC which is mutually
exclusive with IPSEC (KAME IPsec implmentation).

As noted previously, don't use FAST_IPSEC with INET6 at the moment.

Reviewed by:	KAME, rwatson
Approved by:	silence
Supported by:	Vernier Networks
2002-10-16 02:25:05 +00:00
Sam Leffler
c919ec4b66 add definitions for RIPEMD-160 HMAC and Skipjack encryption algorithms,
for use by "Fast IPsec"
2002-10-16 02:18:56 +00:00
Sam Leffler
88768458d2 "Fast IPsec": this is an experimental IPsec implementation that is derived
from the KAME IPsec implementation, but with heavy borrowing and influence
of openbsd.  A key feature of this implementation is that it uses the kernel
crypto framework to do all crypto work so when h/w crypto support is present
IPsec operation is automatically accelerated.  Otherwise the protocol
implementations are rather differet while the SADB and policy management
code is very similar to KAME (for the moment).

Note that this implementation is enabled with a FAST_IPSEC option.  With this
you get all protocols; i.e. there is no FAST_IPSEC_ESP option.

FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a
single system.

This software is well tested with IPv4 but should be considered very
experimental (i.e. do not deploy in production environments).  This software
does NOT currently support IPv6.  In fact do not configure FAST_IPSEC and
INET6 in the same system.

Obtained from:	KAME + openbsd
Supported by:	Vernier Networks
2002-10-16 02:10:08 +00:00
Sam Leffler
5d84645305 Replace aux mbufs with packet tags:
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
  ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
  use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
  inpcb parameter to ip_output and ip6_output to allow the IPsec code to
  locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version

Reviewed by:	julian, luigi (silent), -arch, -net, darren
Approved by:	julian, silence from everyone else
Obtained from:	openbsd (mostly)
MFC after:	1 month
2002-10-16 01:54:46 +00:00
Kirk McKusick
86aeb27fa2 Change locking so that all snapshots on a particular filesystem share
a common lock. This change avoids a deadlock between snapshots when
separate requests cause them to deadlock checking each other for a
need to copy blocks that are close enough together that they fall
into the same indirect block. Although I had anticipated a slowdown
from contention for the single lock, my filesystem benchmarks show
no measurable change in throughput on a uniprocessor system with
three active snapshots. I conjecture that this result is because
every copy-on-write fault must check all the active snapshots, so
the process was inherently serial already. This change removes the
last of the deadlocks of which I am aware in snapshots.

Sponsored by:	DARPA & NAI Labs.
2002-10-16 00:19:23 +00:00
Sam Leffler
87cb581aa4 missed additional callout that can run w/o Giant locked 2002-10-15 23:25:56 +00:00
Poul-Henning Kamp
fb9da1ef43 Include "opt_kbd.h" since certain structures size depend on the value
of KBDIO_DEBUG which may be defined in the kernel config (as it is in NOTES).

This kind of bug is a _really_ horribly thing as we end up with one bit
of code thinking a particular structure is 136 bytes and another that it
is only 112 bytes.

Ideally all places would remember to #include the right "opt_foo.h" file,
but I think in practice file containing the variable sized struct should
#include it explicitly as a precaution.

Detected by:	FlexeLint
2002-10-15 21:35:01 +00:00
Nate Lawson
02fcfac0ad Return an error if the drive reports heads/sectors that do not make sense.
This fixes a divide by zero in fdisk(8)

Reviewed by:	phk
2002-10-15 21:28:50 +00:00
Robert Watson
9e3bf94fd7 Push most UFS ACL behavior behind a check for MNT_ACLS, permitting ACLs
to be administratively disabled as needed on UFS/UFS2 file systems.  This
also has the effect of preventing the slightly more expensive ACL code
from running on non-ACL file systems, avoiding storage allocation for
ACLs that may be read from disk.  MNT_ACLS may be set at mount-time
using mount -o acls, or implicitly by setting the FS_ACLS flag using
tunefs.  On UFS1, you may also have to configure ACL store.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-15 21:28:24 +00:00
David E. O'Brien
77e4f5d146 Bump __FreeBSD_version for the Binutils 2.13 upgrade, which includes the
new FreeBSD emulation, vec, and output format.
2002-10-15 21:26:53 +00:00
Hajimu UMEMOTO
3a3b49aaff Correct the definitions of SADB_* to be compatible with
RFC2407/IANA assignment.  This change breaks binary
compatibility.  So, you need to recompile IPsec related
applications.
2002-10-15 20:59:56 +00:00
Poul-Henning Kamp
32e8efbffd Don't show the command line when doing "make lint". 2002-10-15 20:49:58 +00:00
Poul-Henning Kamp
6df6552a3d Be consistent about marking functions static.
Found by:	FlexeLint.
2002-10-15 20:32:45 +00:00
Robert Watson
80830407c6 If the FS_MULTILABEL flag is set in a UFS or UFS2 superblock,
automatically set MNT_MULTILABEL in the mount flags.

If FS_ACLS is set in a UFS or UFS2 superblock, automatically
set MNT_ACLS in the mount flags.

If either of these flags is set, but the appropriate kernel option
to support the features associated with the flag isn't available,
then print a warning at mount-time.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-15 20:00:06 +00:00
Poul-Henning Kamp
7c61d7858c Plug a memory-leak.
"I think you're right" by:	jake
2002-10-15 18:58:38 +00:00
Poul-Henning Kamp
9736c8f03a Use ; not , as statement separator in PDEBUG() macro.
Ignoring a NULL dev in device_set_ivars() sounds wrong, KASSERT it to
non-NULL instead.

Do the same for device_get_ivars() for reasons of symmetry, though
it probably would have yielded a panic anyway, this gives more precise
diagnostics.

Absentmindedly nodded OK to by:	jhb
2002-10-15 18:56:13 +00:00
Poul-Henning Kamp
65a728a53b Plug an infrequent (I think) memory leak.
Spotted by:	FlexeLint
2002-10-15 18:51:02 +00:00
Poul-Henning Kamp
220aecb807 Constification ? Yes, out that door, row on the left, one patch each.
Sponsored by:	DARPA & NAI Labs
2002-10-15 18:21:53 +00:00
John Baldwin
7fd1f2b8bc Argh. Put back setting of P_ADVLOCK for the F_WRLCK case that was
accidentally lost in the previous revision.

Submitted by:	bde
Pointy hat to:	jhb
2002-10-15 18:10:13 +00:00
Marcel Moolenaar
47f750125b Fix kernel module loading on ia64. Cross-module function calls
were improperly relocated due to faulty logic in lookup_fdesc()
in elf_machdep.c. The symbol index (symidx) was bogusly used for
load modules other than the one the relocation applied to. This
resulted in bogus bindings and consequently runtime failures.

The fix is to use the symbol index only for the module being
relocated and to use the symbol name for look-ups in the
modules in the dependent list. As such, we need a function to
return the symbol name given the linker file and symbol index.
2002-10-15 05:40:07 +00:00
Matt Jacob
64fa510881 Enable mpt && ISP_TARGET_MODE in isp (for Lint purposes) 2002-10-15 04:38:40 +00:00
Marcel Moolenaar
18e0cd7dde Fix previous commit: Don't cast integral types to pointers to
print them with %p. Cast to unsigned long and print with %#lx.

Discussed with: bde
2002-10-15 01:50:09 +00:00
Peter Wemm
803cc8aa8f Restore pointer that was removed in 1.128. This wasn't a merge-o. 2002-10-15 01:36:45 +00:00
Mike Barcroft
89b6abc39a Move details of key_t to <sys/_types.h>, so that it can be typedef'd
in more than just <sys/types.h>.
2002-10-15 00:40:52 +00:00
John Baldwin
c65440644e - Add a new global mutex 'ppeers_lock' to protect the p_peers list of
processes forked with RFTHREAD.
- Use a goto to a label for common code when exiting from fork1() in case
  of an error.
- Move the RFTHREAD linkage setup code later in fork since the ppeers_lock
  cannot be locked while holding a proc lock.  Handle the race of a task
  leader exiting and killing its peers while a peer is forking a new child.
  In that case, go ahead and let the peer process proceed normally as the
  parent is about to kill it.  However, the task leader may have already
  gone to sleep to wait for the peers to die, so the new child process may
  not receive a SIGKILL from the task leader.  Rather than try to destruct
  the new child process, just go ahead and send it a SIGKILL directly and
  add it to the p_peers list.  This ensures that the task leader will wait
  until both the peer process doing the fork() and the new child process
  have received their KILL signals and exited.

Discussed with:	truckman (earlier versions)
2002-10-15 00:14:32 +00:00
John Baldwin
60a6965a88 Remove the leaderp variable and just access p_leader directly. The
p_leader field is not protected by the proc lock but is only set during
fork1() by the parent process and never changes.
2002-10-15 00:03:40 +00:00
John Baldwin
63e30378bc - Use __BUS_ACCESSOR() to define the ISA ivar accessor functions instead of
homerolling our own version.
- Rename the enum for memsize from ISA_IVAR_MSIZE to ISA_IVAR_MEMSIZE
  since using 'MSIZE' in the macro invocation of ISA_ACCESSOR() conflicts
  with the 'MSIZE' kernel option.  The accessor function is still
  isa_get_msize().
2002-10-15 00:02:51 +00:00
Peter Wemm
af3f249f3a The a.out md_coredump stuff isn't referenced anywhere anymore, and
hasn't been filled in for ages..  Nuked.
2002-10-15 00:02:50 +00:00
Peter Wemm
962deac027 Turn off the premature locking in xl. The driver tries to use the mutexes
as spl replacements, but you cant sleep while holding mutexes.

This change has been made on many other drivers.
2002-10-14 23:58:46 +00:00
Kirk McKusick
48f0495d85 When reading or writing the extended attributes of a special device
or fifo in UFS2, the normal ufs_strategy routine needs to be used
rather than the spec_strategy or fifo_strategy routine. Thus the
ffsext_strategy routine is interposed in the ffs_vnops vectors for
special devices and fifo's to pick off this special case. Otherwise
it simply falls through to the usual spec_strategy or fifo_strategy
routine.

Submitted by:	Robert Watson <rwatson@FreeBSD.org>
Sponsored by:	DARPA & NAI Labs.
2002-10-14 23:18:09 +00:00
Alfred Perlstein
9c1c2e9924 Put function return types on a line by themselves.
Cleanup my earlier de-__P sweep and remove whitespace between function
names and paramters.
2002-10-14 22:31:52 +00:00
Matt Jacob
413f5a8add LINT related fixes (as noticed by bde) 2002-10-14 22:13:51 +00:00
Poul-Henning Kamp
b775674772 Remove a bogus local variable.
Sponsored by:	DARPA & NAI Labs.
2002-10-14 21:22:23 +00:00
Alfred Perlstein
8ced1eb281 Remove a KASSERT I added in 1.73 to catch uninitialized pipes.
It must be removed because it is done without the pipe being locked
via pipelock() and therefore is vulnerable to races with pipespace()
erroneously triggering it by temporarily zero'ing out the structure
backing the pipe.

It looks as if this assertion is not needed because all manipulation
of the data changed by pipespace() _is_ protected by pipelock().

Reported by: kris, mckusick
2002-10-14 21:15:04 +00:00
Mike Barcroft
b8a5a77b10 o Add typedefs for gid_t, key_t, mode_t, and uid_t.
o Add comment about ipc_perm's members.
o Add some visibility conditionals for non-standard extentions.
o Remove a comment about ftok() not belonging.
2002-10-14 20:50:41 +00:00
Julian Elischer
24c5baae53 Did you ever notice how stupid bugs show up much clearer
when you see them in a commit message?
2002-10-14 20:43:02 +00:00
Julian Elischer
1f955e2d48 Tidy up the scheduler's code for changing the priority of a thread.
Logically pretty much a NOP.
2002-10-14 20:34:31 +00:00