Commit Graph

1136 Commits

Author SHA1 Message Date
rwatson
4af919b491 Second-to-last commit implementing Capsicum capabilities in the FreeBSD
kernel for FreeBSD 9.0:

Add a new capability mask argument to fget(9) and friends, allowing system
call code to declare what capabilities are required when an integer file
descriptor is converted into an in-kernel struct file *.  With options
CAPABILITIES compiled into the kernel, this enforces capability
protection; without, this change is effectively a no-op.

Some cases require special handling, such as mmap(2), which must preserve
information about the maximum rights at the time of mapping in the memory
map so that they can later be enforced in mprotect(2) -- this is done by
narrowing the rights in the existing max_protection field used for similar
purposes with file permissions.

In namei(9), we assert that the code is not reached from within capability
mode, as we're not yet ready to enforce namespace capabilities there.
This will follow in a later commit.

Update two capability names: CAP_EVENT and CAP_KEVENT become
CAP_POST_KEVENT and CAP_POLL_KEVENT to more accurately indicate what they
represent.

Approved by:	re (bz)
Submitted by:	jonathan
Sponsored by:	Google Inc
2011-08-11 12:30:23 +00:00
avg
50b05401d3 remove RESTARTABLE_PANICS option
This is done per request/suggestion from John Baldwin
who introduced the option.  Trying to resume normal
system operation after a panic is very unpredictable
and dangerous.  It will become even more dangerous
when we allow a thread in panic(9) to penetrate all
lock contexts.
I understand that the only purpose of this option was
for testing scenarios potentially resulting in panic.

Suggested by:	jhb
Reviewed by:	attilio, jhb
X-MFC-After:	never
Approved by:	re (kib)
2011-07-25 09:12:48 +00:00
zec
e3d85d5e0d Clear pending ifnet events, in an attempt at preventing
ng_ether_link_state() from being dispatched after we have
cleared our IFP2NG(ifp).

MFC after:	3 days
2011-07-16 19:11:45 +00:00
glebius
4055dcbe1c In ng_attach_cntl() first allocate things that may fail, and then
do the rest of initialization. This simplifies code and fixes
a double free in failure scenario.

Reviewed by:	bz
2011-07-14 18:38:10 +00:00
glebius
7893f5ef5d Add missing unlocks. 2011-07-06 09:43:25 +00:00
glebius
35e375273c o Eliminate flow6_hash_entry in favor of flow_hash_entry. We don't need
a separate struct to start a slist of semi-opaque structs. This
  makes some code more compact.
o Rewrite ng_netflow_flow_show() and its API/ABI:
  - Support for IPv6 is added.
  - Request and response now use same struct. Structure specifies
    version (6 or 4), index of last retrieved hash, and also index
    of last retrieved entry in the hash entry.
2011-07-05 14:48:39 +00:00
glebius
b1bf1da00e Fix build with NETGRAPH_DEBUG. 2011-07-04 20:50:09 +00:00
glebius
ab5a5d466b Fix build with NETGRAPH_DEBUG. 2011-07-04 13:55:55 +00:00
glebius
ffb5cf4714 - Use refcount(9) API to manage node and hook refcounting.
- Make ng_unref_node() void, since caller shouldn't be
  interested in whether node is valid after call or not,
  since it can't be guaranteed to be valid. [1]

Ok from:	julian [1]
2011-07-04 07:03:44 +00:00
bz
300a95bf76 Tag mbufs of all incoming frames or packets with the interface's FIB
setting (either default or if supported as set by SIOCSIFFIB, e.g.
from ifconfig).

Submitted by:	Alexander V. Chernikov (melifaro ipfw.ru)
Reviewed by:	julian
MFC after:	2 weeks
2011-07-03 16:08:38 +00:00
glebius
903a34675e Fix double free.
Submitted by:	Alexander V. Chernikov <melifaro ipfw.ru>
2011-07-01 08:27:03 +00:00
hselasky
dc0788739a - Move all USB device ID arrays into so-called sections,
sorted according to the mode which they support:
	host, device or dual mode
- Add generic tool to extract these data:
	tools/bus_autoconf

Discussed with:	imp
Suggested by:	Robert Millan <rmh@debian.org>
PR:		misc/157903
MFC after:	14 days
2011-06-24 02:30:02 +00:00
glebius
4dfcd2be16 Be consistent with r160968: keep autoSrcAddr flag untouched when
node receives NGM_SHUTDOWN.

Submitted by:	pluknet
2011-06-23 09:42:41 +00:00
ae
05949f8eec Sync ng_nat with recent (r222806) ipfw_nat changes:
Make a behaviour of the libalias based in-kernel NAT a bit closer to
  how natd(8) does work. natd(8) drops packets only when libalias returns
  PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
  always did drop packets that were not aliased, even if they should
  not be aliased and just are going through.

Also add SCTP support: mark response packets to skip firewall processing.

MFC after:	1 month
2011-06-07 06:48:42 +00:00
zec
f4e35def4a Assume the link to be dead if bit error rate (BER) parameter is set to 1.
When a transition from link alive to link dead configuration or vice
versa occurs, notify any upstream and / or downstream peers using
NGM_FLOW messagges.

Link state notification using NGM_FLOW messages is modelled around
around already existing code in ng_ether.c.

MFC after:	3 days
2011-05-24 14:36:32 +00:00
zec
b3769a4355 Provide fake link status information in an attempt to let ng_eiface(4)
virtual ifnets more realistically mimic physical ethernet interfaces.
The main motivation behind this change is to allow for ng_eiface(4)
interfaces to participate in STP if_bridge(4) configurations.

When announcing link status changes, switch to the vnet to which the
ifnet belongs, since it is possible for ng_eiface ifnets to be assigned
to a vnet different from the one in which its netgraph node resides.

MFC after:	3 days
2011-05-24 14:10:33 +00:00
avg
920b1a8212 usb: fix a missed use of use_generic in r222051
Submitted by:	gcooper
Pointyhat to:	avg
MFC after:	1 month
X-MFC with:	r222051
2011-05-18 11:38:36 +00:00
glebius
53a0fd8ac3 LibAliasInit() should allocate memory with M_WAITOK flag. Modify it
and its callers.
2011-04-18 20:07:08 +00:00
glebius
ab9e7e1d2a Finish last change.
Pointy hat to: glebius
2011-04-18 14:07:01 +00:00
glebius
7af8d8ce83 Further cleanup of node creation path from M_NOWAIT usage. 2011-04-18 14:05:26 +00:00
glebius
5c189772ee ng_netflow_cache_init() can be void. 2011-04-18 09:14:23 +00:00
glebius
6c78a88c3b Node constructor methods are supposed to be called in syscall
context always. Convert nodes to consistently use M_WAITOK flag
for memory allocation.

Reviewed by:	julian
2011-04-18 09:12:27 +00:00
ae
636bed78e5 Use M_WAITOK flag instead M_WAIT for malloc.
Suggested by:	glebius
MFC after:	1 week
2011-04-18 09:10:27 +00:00
glebius
92630a5a27 Fix error where error variable was assigned result of comparison,
instead of function return value.

Submitted by:	Przemyslaw Frasunek <przemyslaw frasunek.com>
MFC after:	4 days
2011-04-17 16:31:21 +00:00
zec
d633983d6c Properly unref ng_hub nodes on shutdown, so that we don't leak them.
MFC after:	3 days
2011-04-07 11:40:10 +00:00
glebius
a2628a4146 Improve locking of creating and dropping links in the graph, acquiring
the topology mutex in the following functions, that manipulate pointers
to peer nodes:

- ng_bypass()
- ng_path2noderef() when switching to the next node in sequence.
  Rewrite the function a bit.
- ng_address_hook()
- ng_address_path()

This patch improves stability of large mpd5 installations.
2011-03-21 14:18:40 +00:00
glebius
1a5e6539ec Remove spl(9) remnants. 2011-03-19 19:37:53 +00:00
bz
26db4c6ff3 Unbreak the build for no options INET6.
PR:		kern/155227
Submitted by:	Dmitry Afanasiev (KOT MATPOCKuH.Ru)
2011-03-03 16:16:49 +00:00
glebius
b732b9a1c5 Add support for NetFlow version 9 into ng_netflow(4) node.
Submitted by:	Alexander V. Chernikov <melifaro ipfw.ru>
2011-03-02 16:15:11 +00:00
ae
8d27150a02 Add XMIT_FAILOVER transmit algorithm to ng_one2many node. Packets are
delivered out the first active "many" hook.

PR:		kern/137775
Submitted by:	Maxim Ignatenko
MFC after:	2 weeks
2011-03-01 13:10:56 +00:00
brucec
6d9b42b486 Fix typos - remove duplicate "the".
PR:	bin/154928
Submitted by:	Eitan Adler <lists at eitanadler.com>
MFC after: 	3 days
2011-02-21 09:01:34 +00:00
bz
b9b7d3e93a Mfp4 CH=177274,177280,177284-177285,177297,177324-177325
VNET socket push back:
  try to minimize the number of places where we have to switch vnets
  and narrow down the time we stay switched.  Add assertions to the
  socket code to catch possibly unset vnets as seen in r204147.

  While this reduces the number of vnet recursion in some places like
  NFS, POSIX local sockets and some netgraph, .. recursions are
  impossible to fix.

  The current expectations are documented at the beginning of
  uipc_socket.c along with the other information there.

  Sponsored by: The FreeBSD Foundation
  Sponsored by: CK Software GmbH
  Reviewed by:  jhb
  Tested by:    zec

Tested by:	Mikolaj Golub (to.my.trociny gmail.com)
MFC after:	2 weeks
2011-02-16 21:29:13 +00:00
mdf
5ceb21c0a5 sysctl(9) cleanup checkpoint: amd64 GENERIC builds cleanly.
Commit the netgraph piece.
2011-01-12 19:53:39 +00:00
jhb
c17f46e472 Remove unneeded includes of <sys/linker_set.h>. Other headers that use
it internally contain nested includes.

Reviewed by:	bde
2011-01-11 13:59:06 +00:00
zec
f34281d968 Simplify ng_pipe locking model by relying on the netgraph framework
to provide serialization of calls into the node, which is accomplished
by markng the node as single-threaded (NGF_FORCE_WRITER).

The price we pay is that each ng_pipe instance now has its own callout
handler which polls for queued frames on each clock tick, as long as
the pipe has any frames in its internal queues.  OTOH, we got rid of
the global ng_pipe mutex, so from now on multiple ng_pipe instances
can operate in parallel.  This change also fixes counting of forwarded
frames when an ng_pipe node is not enforcing any packet impairments.

While here, attempt to improve adherance to style(9) throughout
otherwise mostly unreadable code.

MFC after:	3 days
2010-11-24 16:02:58 +00:00
dim
fb307d7d1d After some off-list discussion, revert a number of changes to the
DPCPU_DEFINE and VNET_DEFINE macros, as these cause problems for various
people working on the affected files.  A better long-term solution is
still being considered.  This reversal may give some modules empty
set_pcpu or set_vnet sections, but these are harmless.

Changes reverted:

------------------------------------------------------------------------
r215318 | dim | 2010-11-14 21:40:55 +0100 (Sun, 14 Nov 2010) | 4 lines

Instead of unconditionally emitting .globl's for the __start_set_xxx and
__stop_set_xxx symbols, only emit them when the set_vnet or set_pcpu
sections are actually defined.

------------------------------------------------------------------------
r215317 | dim | 2010-11-14 21:38:11 +0100 (Sun, 14 Nov 2010) | 3 lines

Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout
the tree.

------------------------------------------------------------------------
r215316 | dim | 2010-11-14 21:23:02 +0100 (Sun, 14 Nov 2010) | 2 lines

Add macros to define static instances of VNET_DEFINE and DPCPU_DEFINE.
2010-11-22 19:32:54 +00:00
zec
a5a86ab1cb Allow for MTU sizes of up to ETHER_MAX_LEN_JUMBO (i.e. 9018) bytes to be
configured on ng_eiface ifnets.  The default MTU remains unchanged at
1500 bytes.

Mark ng_eiface ifnets as IFCAP_VLAN_MTU capable, so that the associated
vlan(4) ifnets may use full-sized Ethernet MTUs (1500 bytes).

MFC after:	3 days
2010-11-22 12:32:19 +00:00
dim
fda4020a88 Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout
the tree.
2010-11-14 20:38:11 +00:00
rpaulo
3ad0c4bcd6 When calling panic(), always pass a format string. 2010-10-13 17:21:21 +00:00
emax
36a14ac3ff Fix typo
PR:	kern/140590
MFC after:	3 days
2010-08-02 22:26:08 +00:00
glebius
e3569a1c39 Fix operation of "netgraph" action in conjunction with the
net.inet.ip.fw.one_pass sysctl.

The "ngtee" action is still broken.

PR:		kern/148885
Submitted by:	Nickolay Dudorov <nnd mail.nsk.ru>
2010-07-27 14:26:34 +00:00
glebius
780c18e4c2 Zero padding fields of netflow records. This helps to reduce
size of compressed export logs.

Requested by:	Alexey Illarionov <littlesavage orionet.ru>
2010-07-26 13:48:35 +00:00
emaste
e0da55d85c Remove defunct email address from header as well. 2010-07-06 16:55:39 +00:00
emaste
0292668c7f Remove email address that no longer exists. 2010-07-06 16:42:11 +00:00
zec
da1f525af0 Fix a double-free bug which can occur if both bit error rate and packet
duplication probability are configured on a ng_pipe node.

Submitted by:	Jeffrey Ahrenholtz
MFC after:	3 days
2010-07-06 12:13:15 +00:00
glebius
ffe13fc705 Avoid double-free. In error cases ipfw(4) frees the mbuf(4), we don't
need to.

PR:		kern/145462
2010-07-06 10:45:38 +00:00
glebius
f20ddfdf57 The struct ipfw_rule_ref follows the struct m_tag. Deal with this
correctly. This fixes breakage of ng_ipfw(4) in r201527.

Submitted by:	Alexander Zagrebin <alexz visp.ru>
2010-07-01 17:46:12 +00:00
ae
6dd2af5a95 * Include sys/systm.h for KASSERT()
* Remove unneeded includes and comment
* Replace home made OFFSETOF() macro with standard offsetof()

Pointed out by:	bde
Approved by:	kib (mentor)
2010-06-15 08:53:13 +00:00
ae
c2cccc78fe Style(9) fixes:
* Sort includes
* Replace #define<SPACE> to #define<TAB>
* Split declarations and initializations
* Split long lines

Requested by:	kib
Approved by:	kib (mentor)
MFC after:	1 month
2010-06-10 16:45:30 +00:00
ae
7e4a5049a9 New netgraph node ng_patch(4). It performs data modification of packets
passing through. Modifications are restricted to a subset of C language
operations on unsigned integers of 8, 16, 32 or 64 bit size.
These are: set to new value (=), addition (+=), subtraction (-=),
multiplication (*=), division (/=), negation (= -), bitwise AND (&=),
bitwise OR (|=), bitwise eXclusive OR (^=), shift left (<<=),
shift right (>>=). Several operations are all applied to a packet
sequentially in order they were specified by user.

Submitted by:	Maxim Ignatenko <gelraen.ua at gmail.com>
		Vadim Goncharov <vadimnuclight at tpu.ru>
Discussed with:	net@
Approved by:	mav (mentor)
MFC after:	1 month
2010-06-09 12:25:57 +00:00