Commit Graph

147 Commits

Author SHA1 Message Date
matt 79b1afa490 Change test for M_EXT to M_READONLY for MROUTING. We only need to to do
a pullup if we aren't allowed to modify the packet.
2002-04-18 22:33:21 +00:00
thorpej a180cee23b Pool deals fairly well with physical memory shortage, but it doesn't
deal with shortages of the VM maps where the backing pages are mapped
(usually kmem_map).  Try to deal with this:

* Group all information about the backend allocator for a pool in a
  separate structure.  The pool references this structure, rather than
  the individual fields.
* Change the pool_init() API accordingly, and adjust all callers.
* Link all pools using the same backend allocator on a list.
* The backend allocator is responsible for waiting for physical memory
  to become available, but will still fail if it cannot callocate KVA
  space for the pages.  If this happens, carefully drain all pools using
  the same backend allocator, so that some KVA space can be freed.
* Change pool_reclaim() to indicate if it actually succeeded in freeing
  some pages, and use that information to make draining easier and more
  efficient.
* Get rid of PR_URGENT.  There was only one use of it, and it could be
  dealt with by the caller.

From art@openbsd.org.
2002-03-08 20:48:27 +00:00
itojun 8832af6e59 correctly enforce ipsec policy check on forwarding case.
From: Greg Troxel <gdt@ir.bbn.com>, Bill Chiarchiaro <wjc@work.cleartech.com>
2002-02-25 02:17:55 +00:00
martin a7d662b71c Clear M_BCAST and M_MCAST on outgoing mbufs.
Don't copy ttl from the inner packet to the encapsulating packet. Make
the outer ttl sysctl'able. This should close PR 14269 from Jasper Wallace
(change partly from there) and it makes traceroute work over gre tunnels.
2002-02-24 17:22:20 +00:00
itojun 9c68db2bfc suppress source quence message, based on router-req RFC (also could be abused
as DoS traffic generator).  from kjc/kame
2002-02-21 08:39:33 +00:00
darrenr dd626d89c9 recompute hlen after calling pfil_run_hooks() in case ip_hl was changed. 2001-11-28 09:25:13 +00:00
lukem ea1cd7eb08 add RCSIDs 2001-11-13 00:32:34 +00:00
matt da5a70805c Convert netinet to not use the internal <sys/queue.h> field names
but instead the access macros.  Use the FOREACH macros where appropriate.
2001-11-04 20:55:25 +00:00
matt 47577dca93 Change a few variable/tables to const since they are read-only. 2001-11-04 13:42:27 +00:00
simonb 5f717f7c33 Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h>
anymore.
2001-10-29 07:02:30 +00:00
thorpej d679590033 Split the pre-computed ifnet checksum flags into Tx and Rx directions.
Add capabilities bits that indicate an interface can only perform
in-bound TCPv4 or UDPv4 checksums.  There is at least one Gig-E chip
for which this is true (Level One LXT-1001), and this is also the
case for the Intel i82559 10/100 Ethernet chips.
2001-09-17 17:26:59 +00:00
itojun 57030e2f12 cache IPsec policy on in6?pcb. most of the lookup operations can be bypassed,
especially when it is a connected SOCK_STREAM in6?pcb.  sync with kame.
2001-08-06 10:25:00 +00:00
thorpej ad9d3794b0 Implement support for IP/TCP/UDP checksum offloading provided by
network interfaces.  This works by pre-computing the pseudo-header
checksum and caching it, delaying the actual checksum to ip_output()
if the hardware cannot perform the sum for us.  In-bound checksums
can either be fully-checked by hardware, or summed up for final
verification by software.  This method was modeled after how this
is done in FreeBSD, although the code is significantly different in
most places.

We don't delay checksums for IPv6/TCP, but we do take advantage of the
cached pseudo-header checksum.

Note: hardware-assisted checksumming defaults to "off".  It is
enabled with ifconfig(8).  See the manual page for details.

Implement hardware-assisted checksumming on the DP83820 Gigabit Ethernet,
3c90xB/3c90xC 10/100 Ethernet, and Alteon Tigon/Tigon2 Gigabit Ethernet.
2001-06-02 16:17:09 +00:00
lukem 07d4fbd104 fix spelo in comment 2001-05-21 03:31:36 +00:00
itojun 8799a9c64b give a default value to net.inet.ip.maxfragpackets, to protect us from
"lots of fragmented packets" DoS attack.

the current default value is derived from ipv6 counterpart, which is
a magical value "200".  it should be enough for normal systems, not sure
if it is enough when you take hundreds of thousands of tcp connections on
your system.  if you have proposal for a better value with concrete reasons,
let me know.
2001-04-16 17:03:33 +00:00
thorpej bf2dcec4f5 Remove the use of splimp() from the NetBSD kernel. splnet()
and only splnet() is allowed for the protection of data structures
used by network devices.
2001-04-13 23:29:55 +00:00
itojun 4b72eeeee5 net.inet.ip.maxfragpackets defines the maximum size of ip reass queue
(prevents fragment flood from chewing up mbuf memory space).
derived from KAME net.inet6.ip6.maxfragpackets.
2001-03-27 02:24:38 +00:00
itojun 7806b5d1f3 increase ipstat.ips_badaddr if the packet fails to pass address checks. 2001-03-02 04:26:10 +00:00
itojun 89b4c3edc6 reject packets with 127/8 on IPv4 src/dst, they must not appear on wire
(RFC1122).  torture-tests will be welcomed.
XXX do we want to check source routing headers as well?
2001-03-02 02:05:36 +00:00
itojun 2d6047cff9 make sure to enforce inbound ipsec policy checking, for any protocols on top
of ip (check it when final header is visited).  sync with kame.
XXX kame team will need to re-check policy engine code
2001-03-01 16:31:37 +00:00
itojun 617b3fab7e - record IPsec packet history into m_aux structure.
- let ipfilter look at wire-format packet only (not the decapsulated ones),
  so that VPN setting can work with NAT/ipfilter settings.
sync with kame.

TODO: use header history for stricter inbound validation
2001-01-24 09:04:15 +00:00
thorpej ad5b855ef0 Back out the sledgehammer damage applied by wiz while I was out for
the holiday.
2000-12-28 21:40:59 +00:00
wiz 32e20d8993 Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.
2000-12-25 02:00:46 +00:00
thorpej d0357bdb4f Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type.  This allows for more future
flexibility with the pfil_hook mechanism.
2000-12-22 20:01:17 +00:00
thorpej d9a9544a2f Add ALTQ glue. XXX Temporary until ALTQ is changed to use a pfil hook. 2000-12-14 17:36:44 +00:00
itojun f9ed4a5d70 IFA_STATS stability (not complete); don't touch ip if it is NULL. 2000-11-24 03:43:20 +00:00
thorpej 65fd25ea82 Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
  fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
  The "dlt" is a BPF data link type, indicating what type of header is
  present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
  dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
  an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
  less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.
2000-11-11 00:52:36 +00:00
ad 642267bcc7 Update for hashinit() change. 2000-11-08 14:28:12 +00:00
itojun 6572421763 make sure we don't share external mbuf between m and mcopy, in ip_forward().
should solve PR 11201.
2000-10-13 01:50:04 +00:00
itojun 26dc854c41 make sure anonport{min,max} is not negative number 2000-08-26 10:41:29 +00:00
tron a97bfde931 Add new sysctl variables "net.inet.ip.lowportmin" and
"net.inet.ip.lowportmax" which can be used to the set minimum
and maximum port number assigned to sockets using
IP_PORTRANGE_LOW.
2000-08-25 13:35:05 +00:00
itojun 210a3e2f80 remove unnecessary #include <netkey/key_debug.h>. from kame. 2000-07-06 12:51:39 +00:00
mrg cf594a3f4d <vm/vm.h> -> <uvm/uvm_extern.h> 2000-06-28 03:01:16 +00:00
itojun 8a0fabf8cf add missing boundary checks to ip options processing.
correct timestamp option validation (len and ptr upper/lower bound
based on RFC791).
fill "pointer" field for parameter problem in timestamp option processing.
2000-05-10 03:31:30 +00:00
itojun b3c4ed6cf7 correct more out-of-bounds memory access, if cnt == 1 and optlen > 1. 2000-05-10 01:19:44 +00:00
sommerfeld 90f481ef3f Handle large offsets with very small options correctly. 2000-05-06 16:35:14 +00:00
jdolecek a59a99b6dc Slighly improve previous - only include <netinet/ip_mroute.h> if MROUTING
is defined.
2000-03-31 14:27:17 +00:00
jdolecek c2acbd102b include <netinet/ip_mroute.h> for ip_mforward() - needed after
last duplicate prototype sweep (prototype for ip_mforward() used to be in <netinet/ip_var.h>)
2000-03-31 08:34:20 +00:00
augustss 8529438fe6 Remove register declarations. 2000-03-30 12:51:13 +00:00
simonb c2693b78a0 Delete uninitialised declaration of ip_defttl - there's an initialised
decl earlier in this file.
2000-03-30 02:35:24 +00:00
thorpej 0fcf68825f Back out previous, and adjust a comment. 2000-03-10 22:39:03 +00:00
thorpej d315d42657 Back out part of 1.104 which isn't actually needed. 2000-03-07 05:39:57 +00:00
itojun 38441b4ae3 remove unnecessary ttl initialization which I mistakingly bringed in
during KAME merge (this is part of WIDE's expeirmental reass code...)
NetBSD PR: 9412
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
Fix from: ho@crt.se
itojun was notified from: theo
2000-03-03 13:07:42 +00:00
thorpej 754bba7b6c Avoid a bug in GCC which manifests itself when processing unaligned
IP options.  Problem pointed out by Matt Hargett and Erik Fair, analyzed
by me.
2000-03-02 06:07:36 +00:00
itojun 04ac848d6f introduce m->m_pkthdr.aux to hold random data which needs to be passed
between protocol handlers.

ipsec socket pointers, ipsec decryption/auth information, tunnel
decapsulation information are in my mind - there can be several other usage.
at this moment, we use this for ipsec socket pointer passing.  this will
avoid reuse of m->m_pkthdr.rcvif in ipsec code.

due to the change, MHLEN will be decreased by sizeof(void *) - for example,
for i386, MHLEN was 100 bytes, but is now 96 bytes.
we may want to increase MSIZE from 128 to 256 for some of our architectures.

take caution if you use it for keeping some data item for long period
of time - use extra caution on M_PREPEND() or m_adj(), as they may result
in loss of m->m_pkthdr.aux pointer (and mbuf leak).

this will bump kernel version.

(as discussed in tech-net, tested in kame tree)
2000-03-01 12:49:27 +00:00
darrenr 4b3916780b pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".
2000-02-20 00:56:33 +00:00
darrenr fd7edad6c3 Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc.  The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list.  This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also.  The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.
2000-02-17 10:59:32 +00:00
itojun 729f693364 - if ip_dst matches address on !IFF_UP interface, and
- there's no match against addresses on IFF_UP interface,
send icmp unreach if I'm router.  drop it if I'm host.

Revised version of PR: 9387 from nrt@iij.ad.jp.  Discussed with thorpej+nrt.
2000-02-16 12:40:40 +00:00
thorpej fd4ed9b425 Typo (Thanks, Havard :-) 2000-02-12 18:00:00 +00:00
thorpej 46f7b67929 Small cosmetic change, and note a place where a statistic should be
gathered.
2000-02-12 17:45:44 +00:00