1321 Commits

Author SHA1 Message Date
garga
7b9023e28a Remove extra space introduced in r287734. This is a stable/10 only fix
since original commit (r287094) is correct.

Approved by:	loos
Sponsored by:	Rubicon Communications (Netgate)
2015-09-22 14:33:43 +00:00
hrs
bc4a1ace90 MFC 287094:
- Deprecate IN6_IFF_NODAD.  It was used to prevent DAD on a loopback
  interface but in6if_do_dad() already had a check for IFF_LOOPBACK.

- Remove in6if_do_dad() check in in6_broadcast_ifa().  An address
  which needs DAD always has IN6_IFF_TENTATIVE there.

- in6if_do_dad() now returns EAGAIN when the interface is not ready
  since DAD callout handler ignores such an interface.

- In DAD callout handler, mark an address as IN6_IFF_TENTATIVE
  when the interface has ND6_IFF_IFDISABLED.  And Do IFF_UP and
  IFF_DRV_RUNNING check consistently when DAD is required.

- draft-ietf-6man-enhanced-dad is now published as RFC 7527.

- Fix some typos.
2015-09-13 02:09:06 +00:00
hrs
8de92fe779 MFC 287095, 287610, 287611, 287617:
Remove obsolete API (SIOCGDRLST_IN6 and SIOCGPRLST_IN6) support.
2015-09-13 01:59:50 +00:00
hrs
2f4beaf9e8 MFC 287609:
Do not add IN6_IFF_TENTATIVE when ND6_IFF_NO_DAD.
2015-09-13 01:44:30 +00:00
hrs
ec83826da7 MFC 287608:
Remove IN6_IFF_NOPFX.  This flag was no longer used.
2015-09-13 01:39:37 +00:00
ae
2cbf021408 MFC r285710:
Invoke LLE event handler when entry is deleted.
2015-08-05 11:24:40 +00:00
hrs
b037e0b55c MFC r282805:
- Remove ND6_IFF_IGNORELOOP.  This functionality was useless in practice
  because a link where looped back NS messages are permanently observed
  does not work with either NDP or ARP for IPv4.

- draft-ietf-6man-enhanced-dad is now RFC 7527.

Approved by:	re (gjb)
2015-07-23 19:58:56 +00:00
hrs
1bf10917ef MFC r273992:
Fix a bug which prevented ND6_IFF_IFDISABLED flag from clearing when
the newly-added IPv6 address was /128.

Approved by:	re (gjb)
2015-07-23 19:54:42 +00:00
tuexen
103d48d60e MFC r284515:
Add FIB support for SCTP.
This fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200379

PR:	200379
2015-06-20 08:25:27 +00:00
kp
1af840c38e Merge r281234
Evaluate packet size after the firewall had its chance

Defer the packet size check until after the firewall has had a look at it. This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.

Differential Revision:	https://reviews.freebsd.org/D2821
Reviewed by:	gnn
2015-06-18 20:57:21 +00:00
kp
801d5721d1 Merge r281165
Remove duplicate code

We'll just fall into the same local delivery block under the
'if (m->m_flags & M_FASTFWD_OURS)'.

Suggested by:       ae
Differential Revision:	https://reviews.freebsd.org/D2820
Reviewed by:	gnn
2015-06-18 20:45:37 +00:00
kp
ad9eb0c77b Merge r280955
Preserve IPv6 fragment IDs accross reassembly and refragmentation

When forwarding fragmented IPv6 packets and filtering with PF we
reassemble and refragment. That means we generate new fragment headers
and a new fragment ID.

We already save the fragment IDs so we can do the reassembly so it's
straightforward to apply the incoming fragment ID on the refragmented
packets.

Differential Revision:	https://reviews.freebsd.org/D2817
Reviewed by:	gnn
2015-06-18 20:40:36 +00:00
kp
80d7588d81 Merge r278842
Factor out ip6_fragment() function, to be used in IPv6 stack and pf(4).

Differential Revision:	https://reviews.freebsd.org/D2815
Reviewed by:	gnn
2015-06-18 20:32:53 +00:00
kp
37f96b7312 Merge r278828, r278832
- Factor out ip6_deletefraghdr() function, to be shared between IPv6 stack and pf(4).
 - Move ip6_deletefraghdr() to frag6.c. (Suggested by bz)

Differential Revision:	https://reviews.freebsd.org/D2813
Reviewed by:	gnn
2015-06-18 20:21:02 +00:00
ae
f1be259e6a MFC r276148:
Remove in_gif.h and in6_gif.h files. They only contain function
  declarations used by gif(4). Instead declare these functions in C files.
  Also make some variables static.

MFC r276215:
  Extern declarations in C files loses compile-time checking that
  the functions' calls match their definitions. Move them to header files.
2015-06-06 13:26:13 +00:00
ae
920800a21f MFC r274246:
Overhaul if_gre(4).

  Split it into two modules: if_gre(4) for GRE encapsulation and
  if_me(4) for minimal encapsulation within IP.

  gre(4) changes:
  * convert to if_transmit;
  * rework locking: protect access to softc with rmlock,
    protect from concurrent ioctls with sx lock;
  * correct interface accounting for outgoing datagramms (count only payload size);
  * implement generic support for using IPv6 as delivery header;
  * make implementation conform to the RFC 2784 and partially to RFC 2890;
  * add support for GRE checksums - calculate for outgoing datagramms and check
    for inconming datagramms;
  * add support for sending sequence number in GRE header;
  * remove support of cached routes. This fixes problem, when gre(4) doesn't
    work at system startup. But this also removes support for having tunnels with
    the same addresses for inner and outer header.
  * deprecate support for various GREXXX ioctls, that doesn't used in FreeBSD.
    Use our standard ioctls for tunnels.

  me(4):
  * implementation conform to RFC 2004;
  * use if_transmit;
  * use the same locking model as gre(4);

  PR:		164475

MFC r274289 (by bz):
  gcc requires variables to be initialised in two places.  One of them
  is correctly  used only under the same conditional though.

  For module builds properly check if the kernel supports INET or INET6,
  as otherwise various mips kernels without IPv6 support would fail to build.

MFC r274964:
  Add ip_gre.h to ObsoleteFiles.inc.
2015-06-06 12:44:42 +00:00
ae
200ce7d836 Rework r281868 to not skip RTM announces for tunneling interfaces.
This is direct commit to stable/10.

Tested by:	tuexen@
2015-06-05 07:23:32 +00:00
ae
fcbaea9548 MFC r275392:
Remove route chaching support from ipsec code. It isn't used for some time.
  * remove sa_route_union declaration and route_cache member from struct secashead;
  * remove key_sa_routechange() call from ICMP and ICMPv6 code;
  * simplify ip_ipsec_mtu();
  * remove #include <net/route.h>;

Sponsored by:	Yandex LLC
2015-06-02 03:14:42 +00:00
ae
8272d42d32 MFC r282965:
Add an ability accept encapsulated packets from different sources by one
  gif(4) interface. Add new option "ignore_source" for gif(4) interface.
  When it is enabled, gif's encapcheck function requires match only for
  packet's destination address.

  Differential Revision:	https://reviews.freebsd.org/D2004
  Sponsored by:	Yandex LLC
2015-05-31 22:58:41 +00:00
tuexen
beb47cc587 MFC r283650:
Fix and cleanup the debug information. This has no user-visible changes.
Thanks to Irene Ruengeler for proving a patch.
2015-05-31 12:46:40 +00:00
tuexen
369d8e1e68 MFC r276914:
Minimize the usage of SCTP_BUF_IS_EXTENDED.
This should help Robert...
2015-05-29 12:03:02 +00:00
tuexen
551a3dd3e4 MFC r275868:
Plug a memory leak in an error code path.

Reported by:	Coverity
CID:		1018936
2015-05-29 11:25:38 +00:00
ae
d29714b5d5 MFC r282578:
Mark data checksum as valid for multicast packets, that we send back
  to myself via simloop.
  Also remove duplicate check under #ifdef DIAGNOSTIC.

  PR:		180065
2015-05-14 11:47:18 +00:00
hrs
c4b11b866f MFC r274223 (by glebius):
Remove VNET_SYSCTL_ARG(). The generic sysctl(9) code handles that.

A panic could occur by "sysctl -a" when using VIMAGE-enabled stable/10
kernel after r262734 because of this missing MFC.
2015-05-12 03:49:18 +00:00
hiren
e545513c3e MFC r261708, r261847, r268525, r274316, r274347, r275593,
r276844, r276847, r279531, r279559, r279564, r279676

A bunch of IPv6 fixes by melifaro, hrs and ae

Major changes:
Simplify nd6_output_lle()
Add refcounting to DAD and fix races and other errors
Implement Enhanced DAD algorithm for IPv6

Suggested by: 	ae
Tested by: 	Jason Wolfe <j at nitrology.com>
Sponsored by:	Limelight Networks
2015-05-08 08:35:06 +00:00
markj
f0172891ff MFC r281483:
Fix a possible refcount leak in regen_tmpaddr().
2015-05-05 03:17:32 +00:00
hiren
b09afc6f3f MFC r275358 r275483 r276982 - Removing M_FLOWID by hps@
r275358:
Start process of removing the use of the deprecated "M_FLOWID" flag
from the FreeBSD network code. The flag is still kept around in the
"sys/mbuf.h" header file, but does no longer have any users. Instead
the "m_pkthdr.rsstype" field in the mbuf structure is now used to
decide the meaning of the "m_pkthdr.flowid" field. To modify the
"m_pkthdr.rsstype" field please use the existing "M_HASHTYPE_XXX"
macros as defined in the "sys/mbuf.h" header file.

This patch introduces new behaviour in the transmit direction.
Previously network drivers checked if "M_FLOWID" was set in "m_flags"
before using the "m_pkthdr.flowid" field. This check has now now been
replaced by checking if "M_HASHTYPE_GET(m)" is different from
"M_HASHTYPE_NONE". In the future more hashtypes will be added, for
example hashtypes for hardware dedicated flows.

"M_HASHTYPE_OPAQUE" indicates that the "m_pkthdr.flowid" value is
valid and has no particular type. This change removes the need for an
"if" statement in TCP transmit code checking for the presence of a
valid flowid value. The "if" statement mentioned above is now a direct
variable assignment which is then later checked by the respective
network drivers like before.

r275483:
Remove M_FLOWID from SCTP code.

r276982:
Remove no longer used "M_FLOWID" flag from mbuf.h and update the netisr
manpage.

Note: The FreeBSD version has been bumped.

Reviewed by:    hps, tuexen
Sponsored by:   Limelight Networks
2015-04-24 23:26:44 +00:00
ae
8ace1d30e5 MFC r281380:
Fix the IPV6_MULTICAST_IF sockopt handling. RFC 3493 says when the
  interface index is specified as zero, the system should select the
  interface to use for outgoing multicast packets. Even the comment
  for the in6p_set_multicast_if() function says about index of zero.
  But in fact for zero index the function just returns EADDRNOTAVAIL.

  I.e. if you first set some interface and then will try reset it
  with zero ifindex, you will get EADDRNOTAVAIL.

  Reset im6o_multicast_ifp to NULL when interface index specified as
  zero. Also return EINVAL in case when ifnet_byindex() returns NULL.
  This will be the same behaviour as when ifindex is bigger than
  V_if_index. And return EADDRNOTAVAIL only when interface is not
  multicast capable.
2015-04-24 02:12:25 +00:00
ae
a09a1acc01 MFC r274988 (with modification):
Skip L2 addresses lookups for tunneling interfaces.

PR:		197286
2015-04-22 20:42:17 +00:00
ae
1350ebc78f MFC r281309:
Fix the check for maximum mbuf's size needed to send ND6 NA and NS.
  It is acceptable that the size can be equal to MCLBYTES. In the later
  KAME's code this check has been moved under DIAGNOSTIC ifdef, because
  the size of NA and NS is much smaller than MCLBYTES. So, it is safe to
  replace the check with KASSERT.

  PR:		199304
2015-04-22 19:41:29 +00:00
delphij
e5ee1c2b41 Improve patch for SA-15:04.igmp to solve a potential buffer overflow.
Fix multiple vulnerabilities of ntp. [SA-15:07]

Fix bsdinstall(8) insecure default GELI keyfile permissions. [SA-15:08]

Fix Denial of Service with IPv6 Router Advertisements. [SA-15:09]
2015-04-07 20:20:24 +00:00
ae
159c9364d9 MFC r280236:
To avoid a possible race, release the reference to ifa after return
  from nd6_dad_na_input().
2015-03-26 18:44:59 +00:00
ae
86de47baf2 MFC r279588:
Fix deadlock in IPv6 PCB code.

  When several threads are trying to send datagram to the same destination,
  but fragmentation is disabled and datagram size exceeds link MTU,
  ip6_output() calls pfctlinput2(PRC_MSGSIZE). It does notify all
  sockets wanted to know MTU to this destination. And since all threads
  hold PCB lock while sending, taking the lock for each PCB in the
  in6_pcbnotify() leads to deadlock.

  RFC 3542 p.11.3 suggests notify all application wanted to receive
  IPV6_PATHMTU ancillary data for each ICMPv6 packet too big message.
  But it doesn't require this, when we don't receive ICMPv6 message.

  Change ip6_notify_pmtu() function to be able use it directly from
  ip6_output() to notify only one socket, and to notify all sockets
  when ICMPv6 packet too big message received.

MFC r279684:
  tcp6_ctlinput() doesn't pass MTU value to in6_pcbnotify().
  Check cmdarg isn't NULL before dereference, this check was in the
  ip6_notify_pmtu() before r279588.

PR:		197059
Sponsored by:	Yandex LLC
2015-03-12 09:04:19 +00:00
rrs
3a3039379c MFC of r278472
This fixes a bug in the way that the LLE timers for nd6
and arp were being used. They basically would pass in the
mutex to the callout_init. Because they used this method
to the callout system, it was possible to "stop" the callout.
When flushing the table and you stopped the running callout, the
callout_stop code would return 1 indicating that it was going
to stop the callout (that was about to run on the callout_wheel blocked
by the function calling the stop). Now when 1 was returned, it would
lower the reference count one extra time for the stopped timer, then
a few lines later delete the memory. Of course the callout_wheel was
stuck in the lock code and would then crash since it was accessing
freed memory. By using callout_init(c, 1) we always get a 0 back
and the reference counting bug does not rear its head. We do have
to make a few adjustments to the callouts themselves though to make
sure it does the proper thing if rescheduled as well as gets the lock.

Sponsored by:	Netflix Inc.
2015-02-15 13:57:44 +00:00
ae
2d05aee53a MFC r278268:
Print IPv6 address in log message instead of address of pointer.
2015-02-12 11:10:07 +00:00
bryanv
b5fba8dc05 MFC r272886:
Add context pointer and source address to the UDP tunnel callback

  These are needed for the forthcoming vxlan implementation. The context
  pointer means we do not have to use a spare pointer field in the inpcb,
  and the source address is required to populate vxlan's forwarding table.
2015-01-27 06:19:30 +00:00
ae
7a82e24551 MFC r273087 (with modifications):
Overhaul if_gif(4):
   o convert to if_transmit;
   o use rmlock to protect access to gif_softc;
   o use sx lock to protect from concurrent ioctls;
   o remove a lot of unneeded and duplicated code;
   o remove cached route support (it won't work with concurrent io);
   o style fixes.

MFC r273090:
  Move memset under ifdef INET6.

MFC r273091:
  Add more ifdefs. SIOC*_IN6 are defined only with INET6.

MFC r273121:
  Add inet/inet6 to the dependency list. Without them if_gif is useless.

MFC r273209 by bz:
  After r273087,r273090,r273091,r273121 changes to gif(4) try to fix
  NOIP builds for real.

MFC r273587:
  Remove redundant check and m_pullup() call.
2014-12-23 16:33:44 +00:00
ae
3e533b7379 MFC r275394:
Remove unneded check. No need to do m_pullup to the size that we prepended.

Sponsored by:	Yandex LLC
2014-12-16 11:53:45 +00:00
ae
b634635a73 MFC r274434:
Fix ips_out_nosa errors accounting.

MFC r274454:
  ipsec6_process_packet is called before ip6_output fixes ip6_plen.
  Update ip6_plen before bpf processing to be able see correct value.

MFC r274455:
  We don't return sp pointer, thus NULL assignment isn't needed.
  And reference to sp will be freed at the end.

MFC r274465:
  Remove redundant ip6_plen initialization.

MFC r274466:
  Strip IP header only when we act in tunnel mode.

MFC r274467:
  Count statistics for the specific address family.

Sponsored by:	Yandex LLC
2014-11-20 18:49:11 +00:00
bryanv
8677516401 MFC r272844:
Add missing UDP multicast receive dtrace probes
2014-11-08 02:53:55 +00:00
bryanv
018ace964f MFC r272801:
Move the calls to u_tun_func() into udp6_append()

A similar cleanup for UDPv4 was performed in r220620.
2014-11-08 02:47:23 +00:00
ae
b0344a7d0f MFC r273855:
Fix mbuf leak in IPv6 multicast code.
  When multicast capable interface goes away, it leaves multicast groups,
  this leads to generate MLD reports, but MLD code does deffered send and
  MLD reports are queued in the in6_multi's in6m_scq ifq. The problem is
  that in6_multi structures are freed when interface leaves multicast groups
  and thread that does deffered send will not take these queued packets.

  PR:		194577

MFC r273857:
  Move ifq drain into in6m_purge().

  Suggested by:	bms

Sponsored by:	Yandex LLC
2014-11-06 09:16:52 +00:00
ae
6933957ccb MFC r266800 by vanhu:
IPv4-in-IPv6 and IPv6-in-IPv4 IPsec tunnels.
  For IPv6-in-IPv4, you may need to do the following command
  on the tunnel interface if it is configured as IPv4 only:
  ifconfig <interface> inet6 -ifdisabled

  Code logic inspired from NetBSD.
  PR: kern/169438

MC r266822 by bz:
  Use IPv4 statistics in ipsec4_process_packet() rather than the IPv6
  version.  This also unbreaks the NOINET6 builds after r266800.

MFC r268083 by zec:
  The assumption in ipsec4_process_packet() that the payload may be
  only IPv4 is wrong, so check the IP version before mangling the
  payload header.

MFC r272394:
  Do not strip outer header when operating in transport mode.
  Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP
  encapsulation, it will be handled with tunneling interface. And thus proper
  interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling
  interface will see packets in both directions.

PR:		194761
2014-11-05 09:23:29 +00:00
hrs
fee8b9f992 MFC r269054:
Fix EtherIP.  TOS field must be initialized when the inner protocol is
  PF_LINK, and multicast/broadcast flag should always be dropped because
  the outer protocol uses unicast even when the inner address is not for
  unicast.  It had been broken since r236951 when gif_output() started to
  use IFQ_HANDOFF().
2014-10-09 23:29:44 +00:00
hrs
ca07cfe57d MFC r266248:
Cancel DAD for an ifa when the ifp has ND6_IFF_IFDISABLED as early as
  possible and do not clear IN6_IFF_TENTATIVE.  If IFDISABLED was accidentally
  set after a DAD started, TENTATIVE could be cleared because no NA was
  received due to IFDISABLED, and as a result it could prevent DAD when
  manually clearing IFDISABLED after that.
2014-10-09 23:25:57 +00:00
hrs
30afda21ea MFC r266857:
- Add rwlock to struct dadq.  A panic could occur when a large number of
    addresses performed DAD at the same time.
2014-10-09 22:56:38 +00:00
ae
142c064467 MFC r271307:
Add the ability to set `prefer_source' flag to an IPv6 address.
  It affects the IPv6 source address selection algorithm (RFC 6724)
  and allows override the last rule ("longest matching prefix") for
  choosing among equivalent addresses. The address with `prefer_source'
  will be preferred source address.
2014-10-09 02:49:33 +00:00
tuexen
5c61a9046a MFC r272706:
Fix a bug introduced in
https://svnweb.freebsd.org/base?view=revision&revision=272347
2014-10-08 15:45:15 +00:00
tuexen
dcccd3d8ca MFC r272469:
UDP/IPv6 and UDPLite/IPv6 require a checksum. So check for it.
2014-10-06 17:14:31 +00:00
tuexen
ec9e40767d MFC r272408:
Check for UDP/IPv6 packets that the length in the UDP header is at least
the minimum. Make the check similar to the one for UDPLite/IPv6.
2014-10-06 17:12:03 +00:00