4769 Commits

Author SHA1 Message Date
jch
0e426a7bb8 MFC r264321, r264342, r264351, r264356, r273850, r274629:
Currently, the TCP slow timer can starve TCP input processing while it
walks the list of connections in TIME_WAIT closing expired connections
due to contention on the global TCP pcbinfo lock.

To remediate, introduce a new global lock to protect the list of
connections in TIME_WAIT.  Only acquire the TCP pcbinfo lock when
closing an expired connection.  This limits the window of time when
TCP input processing is stopped to the amount of time needed to close
a single connection.

Approved by:    jhb (mentor)
2014-12-02 11:47:26 +00:00
hselasky
9fcf944d2a MFC r274376:
Fix some minor TSO issues:
- Improve description of TSO limits.
- Remove a not needed KASSERT()
- Remove some not needed variable casts.

Sponsored by:	Mellanox Technologies
2014-11-19 09:03:12 +00:00
bryanv
8677516401 MFC r272844:
Add missing UDP multicast receive dtrace probes
2014-11-08 02:53:55 +00:00
bryanv
520007fcf4 MFC r272797:
Check for mbuf copy failure when there are multiple multicast sockets

This partitular case is the only path where the mbuf could be NULL.
udp_append() checked for a NULL mbuf only after invoking the tunneling
callback. Our only in tree tunneling callback - SCTP - assumed a non
NULL mbuf, and it is a bit odd to make the callbacks responsible for
checking this condition.

This also reduces the differences between the IPv4 and IPv6 code.
2014-11-08 02:40:00 +00:00
hselasky
fa183f0174 MFC r271946 and r272595:
Improve transmit sending offload, TSO, algorithm in general. This
change allows all HCAs from Mellanox Technologies to function properly
when TSO is enabled. See r271946 and r272595 for more details about
this commit.

Sponsored by:	Mellanox Technologies
2014-11-03 12:38:29 +00:00
ae
33d2961d9a MFC r272770:
When tunneling interface is going to insert mbuf into netisr queue after stripping
  outer header, consider it as new packet and clear the protocols flags.

  This fixes problems when IPSEC traffic goes through various tunnels and router
  doesn't send ICMP/ICMPv6 errors.

PR:		174602
Sponsored by:	Yandex LLC
2014-10-30 13:53:57 +00:00
hselasky
1d17f744c7 MFC r273733, r273740 and r273773:
The SYSCTL data pointers can come from userspace and must not be
directly accessed. Although this will work on some platforms, it can
throw an exception if the pointer is invalid and then panic the kernel.

Add a missing SYSCTL_IN() of "SCTP_BASE_STATS" structure.

Sponsored by:	Mellanox Technologies
2014-10-30 08:04:48 +00:00
jilles
2b4fb09304 MFC r266842: netinet/in.h: Expose htonl(), htons(), ntohl() and ntohs() in
strict POSIX mode.

Put the htonl(), htons(), ntohl() and ntohs() declarations under
__POSIX_VISIBLE >= 200112. POSIX.1-2001 and newer require these to be
exposed from <netinet/in.h> (as well as <arpa/inet.h>).

Note that it may be unnecessary to check __POSIX_VISIBLE >= 200112 because
older versions of POSIX and the C standard do not define this header.
However, other places in the same file already perform the check.

PR:		188316
Submitted by:	Christian Neukirchen
2014-10-29 23:10:48 +00:00
sbruno
47c62aa0b0 MFC r272720, 273061, 273062, 273063, 273064
Implement PLPMTUD blackhole detection (RFC 4821), inspired by code
from xnu sources.  If we encounter a network where ICMP is blocked
the Needs Frag indicator may not propagate back to us.  Attempt to
downshift the mss once to a preconfigured value.

Note, this is turned off by default.
2014-10-29 22:17:45 +00:00
hselasky
1f41d295fb MFC r263710, r273377, r273378, r273423 and r273455:
- De-vnet hash sizes and hash masks.
- Fix multiple issues related to arguments passed to SYSCTL macros.

Sponsored by:	Mellanox Technologies
2014-10-27 14:38:00 +00:00
tuexen
84b9f624de MFC 273168:
Fix the reported streams in a SCTP_STREAM_RESET_EVENT, if a
sent incoming stream reset request was responded with failed
or denied.
Thanks to Peter Bostroem from Google for reporting the issue.
2014-10-19 11:31:23 +00:00
tuexen
ed67dea7a4 MFC r272841:
Ensure that the flags field of sctp_tmit_chunks is initialized.
Thanks to Peter Bostroem from Google for reporting the issue.
2014-10-12 17:45:22 +00:00
tuexen
b0912548c1 MFC r272751:
Ensure that the list of streams sent in a stream reset parameter fits
in an mbuf-cluster.
Thanks to Peter Bostroem for drawing my attention to this part of the code.
2014-10-12 17:42:32 +00:00
tuexen
85569fa02c MFC r272750:
Ensure that the number of stream reported in srs_number_streams is
consistent with the amount of data provided in the SCTP_RESET_STREAMS
socket option.
Thanks to Peter Bostroem from Google for drawing my attention to
this part of the code.
2014-10-12 17:39:37 +00:00
tuexen
4f377875d1 MFC r272571:
Remove unused MC_ALIGN macro as suggested by Robert.
2014-10-12 17:36:41 +00:00
hrs
fcd622891b MFC r271628:
Use generic SYSCTL_* macro instead of deprecated SYSCTL_VNET_*.
2014-10-09 23:46:17 +00:00
hrs
39888f6b56 MFC r271545, 271610:
Make net.inet.ip.sourceroute, net.inet.ip.accept_sourceroute, and
  net.inet.ip.process_options vnet-aware.
2014-10-09 23:45:26 +00:00
hrs
fee8b9f992 MFC r269054:
Fix EtherIP.  TOS field must be initialized when the inner protocol is
  PF_LINK, and multicast/broadcast flag should always be dropped because
  the outer protocol uses unicast even when the inner address is not for
  unicast.  It had been broken since r236951 when gif_output() started to
  use IFQ_HANDOFF().
2014-10-09 23:29:44 +00:00
tuexen
88124f9e02 MFC r272347:
The default for UDPLITE_RECV_CSCOV is zero. RFC 3828 recommend
that this means full checksum coverage for received packets.
If an application is willing to accept packets with partial
coverage, it is expected to use the socket option and provide
the minimum coverage it accepts.
2014-10-06 17:04:26 +00:00
tuexen
ce3a76b52f MFC r272326:
UDPLite requires a checksum. Therefore, discard a received packet if
the checksum is 0.
2014-10-06 16:59:25 +00:00
tuexen
952b4cb5f7 MFC r272323:
If the checksum coverage field in the UDPLITE header is the length
of the complete UDPLITE packet, the packet has full checksum coverage.
So fix the condition.
2014-10-06 13:32:30 +00:00
tuexen
0be9f8014d MFC r272263:
Checksum coverage values larger than 65535 for UDPLite are invalid.
Check for this when the user calls setsockopt using UDPLITE_{SEND,RECV}CSCOV.
2014-10-06 13:12:04 +00:00
tuexen
a2c29a6744 MFC r271643:
Chunk IDs are 8 bit entities, not 16 bit.
Thanks to Peter Kasting from Google for drawing
my attention to it.

MFC r271665:
The MTU is handled as a 32-bit entity within the SCTP stack.
This was reported by Peter Kasting from Google.

MFC r271670:
Make a type conversion explicit. When compiling this code on
Windows as part of the SCTP userland stack, this fixes a
warning reported by Peter Kasting from Google.

MFC r271672:
Small cleanup which addresses a warning regaring the truncation
of a 64-bit entity to a 32-bit entity. This issue was reported by
Peter Kasting from Google.

MFC r271673:
Use a consistent type for the number of HMAC algorithms.
This fixes a bug which resulted in a warning on the userland
stack, when compiled on Windows.
Thanks to Peter Kasting from Google for reporting the issue and
provinding a potential fix.

MFC r271674:
Add a explict cast to silence a warning when building
the userland stack on Windows.
This issue was reported by Peter Kasting from Google.

Approved by: re (kib)
2014-09-18 09:49:49 +00:00
tuexen
1a3a68be7f MFC r270673:
Announce SCTP support in the kern.features sysctl variables.

MFC r270859:
Enable SCTP support. It runs perfectly fine on a Wandboard quad.

MFC r271204 with manual intervention:
Fix the handling of sysctl variables when used with VIMAGE.
While there do some cleanup of the code.

MFC r271209:
Fix a leak of an address, if the address is scheduled for removal
and the stack is torn down.
Thanks to Peter Bostroem and Jiayang Liu from Google for reporting the
issue.

MFC r271219:
Use SYSCTL_PROC instead of SYSCTL_VNET_PROC.
Suggested by: glebius@

MFC r271221:
Use union sctp_sockstore instead of struct sockaddr_storage. This
eliminates some warnings when building in userland.
Thanks to Patrick Laimbock for reporting this issue.
Remove also some unnecessary casts.
There should be no functional change.

MFC r271228:
Address another warnings reported by Patrick Laimbock when compiling
in userspace. While there, improve consistency.

MFC r271230:
Address warnings generated by the clang analyzer.

Approved by: re (kib)
2014-09-18 08:58:22 +00:00
lstewart
25b8a28db6 MFC r270160:
Destroy the "qdiffsample_zone" UMA zone on unload to avoid a use-after-unload
panic easily triggered by running "sysctl -a" after unload.

Reported and tested by:	Grenville Armitage <garmitage@swin.edu.au>
Approved by:	re(gjb)
2014-09-16 21:26:24 +00:00
delphij
f7baec35a3 Fix Denial of Service in TCP packet processing.
Security:	FreeBSD-SA-14:19.tcp
Approved by:	re (implicit, security advisory)
2014-09-16 09:48:35 +00:00
hselasky
918e06e655 MFC r269777:
Fix string length argument passed to "sysctl_handle_string()" so that
the complete string is returned by the function and not just only one
byte.

PR:	192544
2014-08-27 14:07:24 +00:00
tuexen
2532281742 Remove debug output which was comitted by accident.
This is a direct commit to stable/10.
2014-08-22 20:36:45 +00:00
tuexen
9db28b75f0 MFC r269945:
Add support for the SCTP_PR_STREAM_STATUS and SCTP_PR_ASSOC_STATUS
socket options. This includes managing the correspoing stat counters.
Add the SCTP_DETAILED_STR_STATS kernel option to control per policy
counters on every stream. The default is off and only an aggregated
counter is available. This is sufficient for the RTCWeb usecase.
2014-08-22 20:26:20 +00:00
tuexen
fcd4ba9eaa MFC r269858:
Add support for the SCTP_AUTH_SUPPORTED and SCTP_ASCONF_SUPPORTED
socket options. Add also a sysctl to control the support of ASCONF.
2014-08-22 20:22:12 +00:00
tuexen
85630ed213 MFC r269527:
Add support for the SCTP_RECONFIG_SUPPORTED and the corresponding
sysctl controlling the negotiation of the RE-CONFIG extension.
2014-08-22 20:16:26 +00:00
tuexen
5a4252e3c4 MFC r269481:
Add support for the SCTP_PKTDROP_SUPPORTED socket option and
the corresponding sysctl variable.
The default is off, since the specification is not an RFC yet.
2014-08-22 20:08:50 +00:00
tuexen
94e8309da0 MFC r269475:
Add SCTP socket option SCTP_NRSACK_SUPPORTED to control the
NRSACK extension. The default will still be off, since it
it not an RFC (yet).
Changing the sysctl name will be in a separate commit.
2014-08-22 20:05:09 +00:00
tuexen
b33760ea4b MFC r269448:
Add support for the SCTP_PR_SUPPORTED socket option as specified in
http://tools.ietf.org/html/draft-ietf-tsvwg-sctp-prpolicies
Add also a sysctl controlling the default of the end-points.
2014-08-22 20:01:35 +00:00
tuexen
a4786844b5 MFC r269436, r269445:
Cleanup the ECN configuration handling and provide an SCTP socket
option for controlling ECN on future associations and get the
status on current associations.
A simialar pattern will be used for controlling SCTP extensions in
upcoming commits.
2014-08-22 19:57:39 +00:00
tuexen
c03375e227 MFC r269396:
Remove the asconf_auth_nochk sysctl. This was off by default and only
existed to be able to test with non-compliant peers a long time ago.
2014-08-22 19:53:10 +00:00
tuexen
0b70de8b22 MFC r269376:
Cleanup sctp_send_initiate() and sctp_send_initiate_ack() to be
in sync as much as possible. This simplifies upcoming changes.
2014-08-22 19:49:43 +00:00
tuexen
38dd7ad791 MFC r269075:
Initialize notification structures.
This was missed in an earlier commit
2014-08-22 19:46:22 +00:00
tuexen
f0a88a3e04 MFC r268537:
Whitespace changes.
2014-08-22 19:43:27 +00:00
tuexen
6022e8fc87 MFC r268534:
Bugfix: When a remote address was added to an endpoint,
a source address was selected and cached, but it was not
stored that is was cached. This resulted in selecting
different source addresses for the INIT-ACK and COOKIE-ACK
when possible.
Thanks to Niu Zhixiong for reporting the issue.
2014-08-22 19:40:29 +00:00
tuexen
401dfe0b41 MFC r268526:
Integrate upstream changes.
2014-08-22 19:37:50 +00:00
bz
1344b41f0b MFC r266907:
While PAWS is disabled, there are no consumers for the tcp options
 argument to tcp_twcheck();  thus mark it __unused.
2014-08-16 14:09:26 +00:00
bz
9d2fdc5f67 MFC r266620:
Remove the prototpye for the static inline function
 tcp_signature_verify_input().
 The function is defined before first use already.
2014-08-16 14:05:31 +00:00
bz
f8953220b8 MFC r266619:
syncache_lookup() is a file local function.  Make it static and
 take it out of the public KPI; seems it was never used elsewhere.
2014-08-16 14:03:00 +00:00
bz
a0d3819845 MFC r266618:
Make tcp_twrespond() file local private;  this removes it from the
 public KPI; it is not used anywhere else and seems it never was.
2014-08-16 13:58:45 +00:00
bz
dd062e6c84 MFC r266597:
Remove the prototypes for things that are no longer file local but were
 moved to the header file.

 Was suppoed to be MFCed with: r266596
 Pointy hat to:	bz
2014-08-16 13:53:05 +00:00
bz
6f5b0b94bc MFC r266596:
Move the tcp_fields_to_host() and tcp_fields_to_net() (inline)
 functions to the tcp_var.h header file in order to avoid further
 duplication with upcoming commits.

 Reviewed by:	np
2014-08-16 13:50:15 +00:00
np
334efdc74b MFC r268450 (by glebius). The leak affects stable/10 too.
In several cases in ip_output() we obtain reference on ifa. Do not
leak it.
2014-07-21 20:38:21 +00:00
delphij
7642e9504a Fix kernel memory disclosure in control message and SCTP notifications.
Security:	FreeBSD-SA-14:17.kmem
Security:	CVE-2014-3952, CVE-2014-3953
2014-07-08 21:54:50 +00:00
tuexen
08c9939204 MFC r267688:
Fix a bug which incorrectly allowed two listening SCTP sockets on
the same port bound to the wildcard address.
2014-06-23 07:58:41 +00:00