Commit Graph

214 Commits

Author SHA1 Message Date
Attilio Rao
cecd8edba5 Remove the suser(9) interface from the kernel. It has been replaced from
years by the priv_check(9) interface and just very few places are left.
Note that compatibility stub with older FreeBSD version
(all above the 8 limit though) are left in order to reduce diffs against
old versions. It is responsibility of the maintainers for any module, if
they think it is the case, to axe out such cases.

This patch breaks KPI so __FreeBSD_version will be bumped into a later
commit.

This patch needs to be credited 50-50 with rwatson@ as he found time to
explain me how the priv_check() works in detail and to review patches.

Tested by:      Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
Reviewed by:    rwatson
2008-09-17 15:49:44 +00:00
Tom Rhodes
7521cd74f6 Begin the sysctl descriptions with a capital letter.
Make some slight wording tweaks.
2008-07-25 23:54:07 +00:00
Tom Rhodes
941b15a3e0 Document a few sysctls.
Reviewed by:	rwatson
2008-07-20 15:25:20 +00:00
Robert Watson
59dd72d040 Remove NETISR_MPSAFE, which allows specific netisr handlers to be directly
dispatched without Giant, and add NETISR_FORCEQUEUE, which allows specific
netisr handlers to always be dispatched via a queue (deferred).  Mark the
usb and if_ppp netisr handlers as NETISR_FORCEQUEUE, and explicitly
acquire Giant in those handlers.

Previously, any netisr handler not marked NETISR_MPSAFE would necessarily
run deferred and with Giant acquired.  This change removes Giant
scaffolding from the netisr infrastructure, but NETISR_FORCEQUEUE allows
non-MPSAFE handlers to continue to force deferred dispatch so as to avoid
lock order reversals between their acqusition of Giant and any calling
context.

It is likely we will be able to remove NETISR_FORCEQUEUE once
IFF_NEEDSGIANT is removed, as non-MPSAFE usb and if_ppp drivers will no
longer be supported.

Reviewed by:	bz
MFC after:	1 month
X-MFC note:	We can't remove NETISR_MPSAFE from stable/7 for KPI reasons,
		but the rest can go back.
2008-07-04 00:21:38 +00:00
Robert Watson
9dea35a10a Rather than m_free(dtom(si)) in spx_reass(), return (1) which causes the
caller to free the mbuf without using dtom().

MFC after:	3 days
2008-05-29 07:18:43 +00:00
Robert Watson
bf898eb8c5 Correct minor comment typos, make white space use before block comments
more consistent.

MFC after:	3 days
2008-05-29 06:50:25 +00:00
Robert Watson
8ea4cf79cb Avoid unnecessary one use of dtom(9) in spx_input().
MFC after:	3 days
2008-05-26 22:54:38 +00:00
Julian Elischer
8b07e49a00 Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)

Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.

From my notes:

-----

  One thing where FreeBSD has been falling behind, and which by chance I
  have some time to work on is "policy based routing", which allows
  different
  packet streams to be routed by more than just the destination address.

  Constraints:
  ------------

  I want to make some form of this available in the 6.x tree
  (and by extension 7.x) , but FreeBSD in general needs it so I might as
  well do it in -current and back port the portions I need.

  One of the ways that this can be done is to have the ability to
  instantiate multiple kernel routing tables (which I will now
  refer to as "Forwarding Information Bases" or "FIBs" for political
  correctness reasons). Which FIB a particular packet uses to make
  the next hop decision can be decided by a number of mechanisms.
  The policies these mechanisms implement are the "Policies" referred
  to in "Policy based routing".

  One of the constraints I have if I try to back port this work to
  6.x is that it must be implemented as a EXTENSION to the existing
  ABIs in 6.x so that third party applications do not need to be
  recompiled in timespan of the branch.

  This first version will not have some of the bells and whistles that
  will come with later versions. It will, for example, be limited to 16
  tables in the first commit.
  Implementation method, Compatible version. (part 1)
  -------------------------------
  For this reason I have implemented a "sufficient subset" of a
  multiple routing table solution in Perforce, and back-ported it
  to 6.x. (also in Perforce though not  always caught up with what I
  have done in -current/P4). The subset allows a number of FIBs
  to be defined at compile time (8 is sufficient for my purposes in 6.x)
  and implements the changes needed to allow IPV4 to use them. I have not
  done the changes for ipv6 simply because I do not need it, and I do not
  have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.

  Other protocol families are left untouched and should there be
  users with proprietary protocol families, they should continue to work
  and be oblivious to the existence of the extra FIBs.

  To understand how this is done, one must know that the current FIB
  code starts everything off with a single dimensional array of
  pointers to FIB head structures (One per protocol family), each of
  which in turn points to the trie of routes available to that family.

  The basic change in the ABI compatible version of the change is to
  extent that array to be a 2 dimensional array, so that
  instead of protocol family X looking at rt_tables[X] for the
  table it needs, it looks at rt_tables[Y][X] when for all
  protocol families except ipv4 Y is always 0.
  Code that is unaware of the change always just sees the first row
  of the table, which of course looks just like the one dimensional
  array that existed before.

  The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
  are all maintained, but refer only to the first row of the array,
  so that existing callers in proprietary protocols can continue to
  do the "right thing".
  Some new entry points are added, for the exclusive use of ipv4 code
  called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
  which have an extra argument which refers the code to the correct row.

  In addition, there are some new entry points (currently called
  rtalloc_fib() and friends) that check the Address family being
  looked up and call either rtalloc() (and friends) if the protocol
  is not IPv4 forcing the action to row 0 or to the appropriate row
  if it IS IPv4 (and that info is available). These are for calling
  from code that is not specific to any particular protocol. The way
  these are implemented would change in the non ABI preserving code
  to be added later.

  One feature of the first version of the code is that for ipv4,
  the interface routes show up automatically on all the FIBs, so
  that no matter what FIB you select you always have the basic
  direct attached hosts available to you. (rtinit() does this
  automatically).

  You CAN delete an interface route from one FIB should you want
  to but by default it's there. ARP information is also available
  in each FIB. It's assumed that the same machine would have the
  same MAC address, regardless of which FIB you are using to get
  to it.

  This brings us as to how the correct FIB is selected for an outgoing
  IPV4 packet.

  Firstly, all packets have a FIB associated with them. if nothing
  has been done to change it, it will be FIB 0. The FIB is changed
  in the following ways.

  Packets fall into one of a number of classes.

  1/ locally generated packets, coming from a socket/PCB.
     Such packets select a FIB from a number associated with the
     socket/PCB. This in turn is inherited from the process,
     but can be changed by a socket option. The process in turn
     inherits it on fork. I have written a utility call setfib
     that acts a bit like nice..

         setfib -3 ping target.example.com # will use fib 3 for ping.

     It is an obvious extension to make it a property of a jail
     but I have not done so. It can be achieved by combining the setfib and
     jail commands.

  2/ packets received on an interface for forwarding.
     By default these packets would use table 0,
     (or possibly a number settable in a sysctl(not yet)).
     but prior to routing the firewall can inspect them (see below).
     (possibly in the future you may be able to associate a FIB
     with packets received on an interface..  An ifconfig arg, but not yet.)

  3/ packets inspected by a packet classifier, which can arbitrarily
     associate a fib with it on a packet by packet basis.
     A fib assigned to a packet by a packet classifier
     (such as ipfw) would over-ride a fib associated by
     a more default source. (such as cases 1 or 2).

  4/ a tcp listen socket associated with a fib will generate
     accept sockets that are associated with that same fib.

  5/ Packets generated in response to some other packet (e.g. reset
     or icmp packets). These should use the FIB associated with the
     packet being reponded to.

  6/ Packets generated during encapsulation.
     gif, tun and other tunnel interfaces will encapsulate using the FIB
     that was in effect withthe proces that set up the tunnel.
     thus setfib 1 ifconfig gif0 [tunnel instructions]
     will set the fib for the tunnel to use to be fib 1.

  Routing messages would be associated with their
  process, and thus select one FIB or another.
  messages from the kernel would be associated with the fib they
  refer to and would only be received by a routing socket associated
  with that fib. (not yet implemented)

  In addition Netstat has been edited to be able to cope with the
  fact that the array is now 2 dimensional. (It looks in system
  memory using libkvm (!)). Old versions of netstat see only the first FIB.

  In addition two sysctls are added to give:
  a) the number of FIBs compiled in (active)
  b) the default FIB of the calling process.

  Early testing experience:
  -------------------------

  Basically our (IronPort's) appliance does this functionality already
  using ipfw fwd but that method has some drawbacks.

  For example,
  It can't fully simulate a routing table because it can't influence the
  socket's choice of local address when a connect() is done.

  Testing during the generating of these changes has been
  remarkably smooth so far. Multiple tables have co-existed
  with no notable side effects, and packets have been routes
  accordingly.

  ipfw has grown 2 new keywords:

  setfib N ip from anay to any
  count ip from any to any fib N

  In pf there seems to be a requirement to be able to give symbolic names to the
  fibs but I do not have that capacity. I am not sure if it is required.

  SCTP has interestingly enough built in support for this, called VRFs
  in Cisco parlance. it will be interesting to see how that handles it
  when it suddenly actually does something.

  Where to next:
  --------------------

  After committing the ABI compatible version and MFCing it, I'd
  like to proceed in a forward direction in -current. this will
  result in some roto-tilling in the routing code.

  Firstly: the current code's idea of having a separate tree per
  protocol family, all of the same format, and pointed to by the
  1 dimensional array is a bit silly. Especially when one considers that
  there is code that makes assumptions about every protocol having the
  same internal structures there. Some protocols don't WANT that
  sort of structure. (for example the whole idea of a netmask is foreign
  to appletalk). This needs to be made opaque to the external code.

  My suggested first change is to add routing method pointers to the
  'domain' structure, along with information pointing the data.
  instead of having an array of pointers to uniform structures,
  there would be an array pointing to the 'domain' structures
  for each protocol address domain (protocol family),
  and the methods this reached would be called. The methods would have
  an argument that gives FIB number, but the protocol would be free
  to ignore it.

  When the ABI can be changed it raises the possibilty of the
  addition of a fib entry into the "struct route". Currently,
  the structure contains the sockaddr of the desination, and the resulting
  fib entry. To make this work fully, one could add a fib number
  so that given an address and a fib, one can find the third element, the
  fib entry.

  Interaction with the ARP layer/ LL layer would need to be
  revisited as well. Qing Li has been working on this already.

  This work was sponsored by Ironport Systems/Cisco

Reviewed by:    several including rwatson, bz and mlair (parts each)
Obtained from:  Ironport systems/Cisco
2008-05-09 23:03:00 +00:00
Dag-Erling Smørgrav
218cbbea9a Make tcpstates[] static, and make sure TCPSTATES is defined before
<netinet/tcp_fsm.h> is included into any compilation unit that needs
tcpstates[].  Also remove incorrect extern declarations and TCPDEBUG
conditionals.  This allows kernels both with and without TCPDEBUG to
build, and unbreaks the tinderbox.

Approved by:	re (rwatson)
2007-07-30 11:06:42 +00:00
Robert Watson
c2259ba44f Include priv.h to pick up suser(9) definitions, missed in an earlier
commit.

Warnings spotted by:	kris
2007-06-13 22:42:43 +00:00
Robert Watson
2281b8f054 Remove IPX over IP tunneling support, which allows IPX routing over IP
tunnels, and was not MPSAFE.  The code can be easily restored in the
event that someone with an IPX over IP tunnel configuration can work
with me to test patches.

This removes one of five remaining consumers of NET_NEEDS_GIANT.

Approved by:	re (kensmith)
2007-06-13 14:01:43 +00:00
Robert Watson
94ad7d68c7 Use ANSI C function declarations throughout netipx.
Remove 'register' use.
2007-05-11 10:38:34 +00:00
Robert Watson
54d642bbe5 Reduce network stack oddness: implement .pru_sockaddr and .pru_peeraddr
protocol entry points using functions named proto_getsockaddr and
proto_getpeeraddr rather than proto_setsockaddr and proto_setpeeraddr.
While it's true that sockaddrs are allocated and set, the net effect is
to retrieve (get) the socket address or peer address from a socket, not
set it, so align names to that intent.
2007-05-11 10:20:51 +00:00
Robert Watson
c724ad6648 Build ipx_ip.c only if options IPXIP is defined. No functional change. 2007-02-26 11:55:34 +00:00
Robert Watson
e89beb720d Fix a likely bug by adding what appears to be a missing break statement
in the IPX over IP configuration ioctl: when changing the flags on a
tunnel interface, return the generated error rather than always EINVAL.
2007-02-26 10:16:53 +00:00
Robert Watson
dd0cb30f89 Further style(9) for ipx_ip. 2007-02-25 00:17:56 +00:00
Robert Watson
ca642fe976 Improve ipx_ip.c's approximation of style(9). 2007-02-25 00:10:59 +00:00
Robert Watson
28b2aee58f Factor out UCB and my copyrights from copyrights of Mike Mitchell;
the former use a three-clause BSD license (per UCB authorization
letter), whereas he uses a four-clause BSD license.

MFC after:	3 days
2007-01-08 22:14:00 +00:00
Robert Watson
acd3428b7d Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
Robert Watson
a152f8a361 Change semantics of socket close and detach. Add a new protocol switch
function, pru_close, to notify protocols that the file descriptor or
other consumer of a socket is closing the socket.  pru_abort is now a
notification of close also, and no longer detaches.  pru_detach is no
longer used to notify of close, and will be called during socket
tear-down by sofree() when all references to a socket evaporate after
an earlier call to abort or close the socket.  This means detach is now
an unconditional teardown of a socket, whereas previously sockets could
persist after detach of the protocol retained a reference.

This faciliates sharing mutexes between layers of the network stack as
the mutex is required during the checking and removal of references at
the head of sofree().  With this change, pru_detach can now assume that
the mutex will no longer be required by the socket layer after
completion, whereas before this was not necessarily true.

Reviewed by:	gnn
2006-07-21 17:11:15 +00:00
Olivier Houchard
1334cfe00c Make this compile without INVARIANTS. 2006-04-11 23:15:47 +00:00
Robert Watson
bc725eafc7 Chance protocol switch method pru_detach() so that it returns void
rather than an error.  Detaches do not "fail", they other occur or
the protocol flags SS_PROTOREF to take ownership of the socket.

soclose() no longer looks at so_pcb to see if it's NULL, relying
entirely on the protocol to decide whether it's time to free the
socket or not using SS_PROTOREF.  so_pcb is now entirely owned and
managed by the protocol code.  Likewise, no longer test so_pcb in
other socket functions, such as soreceive(), which have no business
digging into protocol internals.

Protocol detach routines no longer try to free the socket on detach,
this is performed in the socket code if the protocol permits it.

In rts_detach(), no longer test for rp != NULL in detach, and
likewise in other protocols that don't permit a NULL so_pcb, reduce
the incidence of testing for it during detach.

netinet and netinet6 are not fully updated to this change, which
will be in an upcoming commit.  In their current state they may leak
memory or panic.

MFC after:	3 months
2006-04-01 15:42:02 +00:00
Robert Watson
ac45e92ff2 Change protocol switch pru_abort() API so that it returns void rather
than an int, as an error here is not meaningful.  Modify soabort() to
unconditionally free the socket on the return of pru_abort(), and
modify most protocols to no longer conditionally free the socket,
since the caller will do this.

This commit likely leaves parts of netinet and netinet6 in a situation
where they may panic or leak memory, as they have not are not fully
updated by this commit.  This will be corrected shortly in followup
commits to these components.

MFC after:      3 months
2006-04-01 15:15:05 +00:00
Robert Watson
e3c26fb50d Add a simple netipx TODO list to the end of README, since there are a
number of problems with netipx that I have not yet resolved, and I
don't want them lost track of.

MFC after:	1 month
2006-03-27 09:10:09 +00:00
Robert Watson
1322b45c3d Canonicalize copyright order in one more file that contains my
copyright.

MFC after:	1 month
2006-03-27 01:12:58 +00:00
Robert Watson
c3784d3460 In spx_output(), use M_DONTWAIT instead of M_TRYWAIT, as we hold the
ipxpcb mutex.  Contrary to the comment, even in 4.x this was unsafe,
as parallel use of the socket by another process would result in pcb
corruption if the mbuf allocation slept.

MFC after:	1 month
2006-03-27 00:48:21 +00:00
Robert Watson
dc6519ce4c In spx_input(), change a '&&' to a '||', as the spx trace code is able
to handle a NULL 'cb' here.

MFC after:	1 month
2006-03-27 00:08:32 +00:00
Robert Watson
0f5650dbf9 In spx_accept, assert ipxp != NULL, not == NULL.
MFC after:	1 month
2006-03-26 19:51:44 +00:00
Robert Watson
46589e7054 In various SPX protocol entry points from the socket layer, check
IPXP_DROPPED before continuing, and return EINVAL or ECONNRESET if
it is flagged.  It's unclear why each situation should be one or
the other, but it is copied from netinet which has the same bugs.

MFC after:	1 month
2006-03-26 19:37:37 +00:00
Robert Watson
722542bc34 Add a new ipxpcb flag, IPXP_SPX, which is set on ipxpcb's to mark them
as belonging to SPX.  This replaces the implicit assumption that the cb
pointer for non-SPX pcb's will be NULL.  This isn't required in TCP/IP
as different pcb lists are maintained for different IP protocols; IPX
stores all pcbs on the same global ipxpcb_list.

Foot provided by:	gnn
MFC after:		1 month
2006-03-26 15:41:44 +00:00
Robert Watson
0597c8cf73 Restore original formulation of SPX segment queue draining during SPX
PCB detach.

MFC after:	1 month
2006-03-26 02:33:44 +00:00
Robert Watson
818812244b Rework IPX/SPX socket and pcb reference model:
- Introduce invariant that all IPX/SPX sockets will have valid so_pcb
  pointers to ipxpcb structures, and that for SPX, the control block
  pointer will always be valid.  Don't attempt to free the socket or
  pcb at various odd points, such as disconnect.

- Add a new ipxpcb flag, IPXP_DROPPED, which will be set in place of
  freeing PCB's so that this invariant can be maintained.  This flag
  is now checked instead of a NULL check in various socket protocol
  calls.

- Introduce many assertions that this invariant holds.

- Various pieces of code, such as the SPX timer code, no longer needs
  to jump through hoops in case it frees a PCB while running.

- Break out ipx_pcbfree() from ipx_pcbdetach().  Likewise
  spx_pcbdetach().

- Comment on some SMP-related limitations to the SPX code.

- Update copyrights.

MFC after:	1 month
2006-03-25 17:28:42 +00:00
Robert Watson
92676aa962 Restructure spx_attach() to properly free memory in the event that one
of its allocations fails.  Allocate the ipxp last so as to avoid having
to free it if another allocation goes wrong.

Normalize retrieval of ipxp and cb from socket in spx_sp_attach(), and
add assertions.

MFC after:	1 month
2006-03-25 15:03:29 +00:00
Robert Watson
e7b7fc0ecd Don't bother restoring host byte order of mbuf fields when we're just
about to free the mbuf in the spx_input() error path.

MFC after:	1 month
2006-03-25 14:45:08 +00:00
Robert Watson
3945bca516 In spx_ctloutput(), acquire the ipxp lock around read operations,
especially reads of spx header structures, which will now be cached
in the stack until they can be copied out after releasing the lock.
Panic if a bad socket option direction is passed in by the caller.

MFC after:	1 month
2006-03-25 14:44:05 +00:00
Robert Watson
6d3d51f03e Slight style reformatting of spx_timers() comments; panic if an
unrecognized timer is passed into the function.

MFC after:	1 month
2006-03-25 14:29:03 +00:00
Robert Watson
a52526165e Include kernel.h to get NET_NEEDS_GIANT() definition, which for some
reason compiled fine here.  I may be running with other include file
changes locally.

MFC after:	3 days
2006-03-24 20:08:48 +00:00
Robert Watson
b8e00b4cf4 Clean up and style(9) SPX code prior to significant functional changes
being committed:

- Wrap comments more evenly on right border.
- Clean up braces.

Also, along similar lines:

- Assert some pointers are non-NULL before dereferencing them.
- Remove one assertion that looks, on face value, poor.

MFC after:	1 month
2006-03-24 13:58:23 +00:00
Robert Watson
ba8cc9aa46 Protect spx_iss using its own mutex, spx_mtx, rather than piggy-backing
on the global IPX mutex, which is not held at all necessary strategic
points.

MFC after:	1 month
2006-03-24 00:26:25 +00:00
Robert Watson
0850baa938 Move definition of spxrexmtthresh to top of file with other global
variables.

MFC after:	1 month
2006-03-24 00:22:25 +00:00
Robert Watson
8dba0c89c1 Canonicalize, update copyright.
Remove 'register'.
Use ANSI prototypes, not K&R.

MFC after:	1 month
2006-03-24 00:15:58 +00:00
Robert Watson
5ca770c90c Update copyright to 2006, comment on my contribution to this code in the
style of previous contributors.

MFC after:	1 month
2006-03-24 00:02:15 +00:00
Robert Watson
6252bd331d Comment that raw output filter code for IPX should run in a netisr so as
to avoid recursing the socket code, as this input path can run in the
call stack of an output path.

MFC after:	1 month
2006-03-24 00:00:23 +00:00
Robert Watson
48d699a78f When the kernel is compiled with options IPXIP, run the network stack
with Giant, as there is current unsafety in the IPX tunneled over IP
code.  There have been no reports of trouble, but there probably would
be if anyone were running this code at high speed on SMP systems.

MFC after:	3 days
2006-03-23 23:07:56 +00:00
Robert Watson
ddd14ad4fb Move spx_savesi from being a global variable to an automatically allocated
variable on the spx_input() stack.  It's not very large, and this will
avoid parallelism issues when spx_input() runs in more than one thread at
a time.

MFC after:	1 month
2006-03-23 19:58:12 +00:00
Robert Watson
7d01b89631 Admit to ourselves that we don't actually implement pr_ctlinput() for
IPX or SPX, as the code in the implementing functions is essentially
a no-op.  Replace with a comment indicating we don't implement these
currently.
2006-03-23 19:50:00 +00:00
Robert Watson
71c47d1480 In spx_attach() and spx_detach(), there is no need to check whether the
ipxpcb is NULL or not: in attach it will be, and on detach it won't be.
If for any reason these invariants don't hold true, panicking is a good
idea.

Noticed by:	Coverity Prevent analysis tool
MFC after:	3 days
2006-01-14 00:05:44 +00:00
Robert Watson
bfcff7c78e Remove dead code associated with 'mcopy' in ipx_forward(): at no point
are the contents of the forwarded mbuf ever copied into mcopy, so there's
no need to have mcopy, conditionally look at mcopy, or conditionally free
it.

Noticed by:	Coverity Prevent analysis tool
MFC after:	3 days
2006-01-13 23:47:55 +00:00
Andre Oppermann
71590103f4 Include ip_options.h for IPX-IP encapsulation.
Noticed by:	Tinderbox
Sponsored by:   TCP/IP Optimization Fundraise 2005
2005-11-20 16:17:12 +00:00
Ruslan Ermilov
303989a2f3 Use sparse initializers for "struct domain" and "struct protosw",
so they are easier to follow for the human being.
2005-11-09 13:29:16 +00:00