- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.
With much feedback from matt@ and plunky@.
the seq used by the request. It will improve consistency with the answer of SADB_GET
request and helps some applications which relies both on seq and pid.
Reported by Karl Knutsson by pr/36119.
parentheses in return statements.
Cosmetic: don't open-code TAILQ_FOREACH().
Cosmetic: change types of variables to avoid oodles of casts: in
in6_src.c, avoid casts by changing several route_in6 pointers
to struct route pointers. Remove unnecessary casts to caddr_t
elsewhere.
Pave the way for eliminating address family-specific route caches:
soon, struct route will not embed a sockaddr, but it will hold
a reference to an external sockaddr, instead. We will set the
destination sockaddr using rtcache_setdst(). (I created a stub
for it, but it isn't used anywhere, yet.) rtcache_free() will
free the sockaddr. I have extracted from rtcache_free() a helper
subroutine, rtcache_clear(). rtcache_clear() will "forget" a
cached route, but it will not forget the destination by releasing
the sockaddr. I use rtcache_clear() instead of rtcache_free()
in rtcache_update(), because rtcache_update() is not supposed
to forget the destination.
Constify:
1 Introduce const accessor for route->ro_dst, rtcache_getdst().
2 Constify the 'dst' argument to ifnet->if_output(). This
led me to constify a lot of code called by output routines.
3 Constify the sockaddr argument to protosw->pr_ctlinput. This
led me to constify a lot of code called by ctlinput routines.
4 Introduce const macros for converting from a generic sockaddr
to family-specific sockaddrs, e.g., sockaddr_in: satocsin6,
satocsin, et cetera.
rtcache_init and rtcache_init_noclone lookup ro_dst and store
the result in ro_rt, taking care of the reference counting and
calling the domain specific route cache.
rtcache_free checks if a route was cashed and frees the reference.
rtcache_copy copies ro_dst of the given struct route, checking that
enough space is available and incrementing the reference count of the
cached rtentry if necessary.
rtcache_check validates that the cached route is still up. If it isn't,
it tries to look it up again. Afterwards ro_rt is either a valid again
or NULL.
rtcache_copy is used internally.
Adjust to callers of rtalloc/rtflush in the tree to check the sanity of
ro_dst first (if necessary). If it doesn't fit the expectations, free
the cache, otherwise check if the cached route is still valid. After
that combination, a single check for ro_rt == NULL is enough to decide
whether a new lookup needs to be done with a different ro_dst.
Make the route checking in gre stricter by repeating the loop check
after revalidation.
Remove some unused RADIX_MPATH code in in6_src.c. The logic is slightly
changed here to first validate the route and check RTF_GATEWAY
afterwards. This is sementically equivalent though.
etherip doesn't need sc_route_expire similiar to the gif changes from
dyoung@ earlier.
Based on the earlier patch from dyoung@, reviewed and discussed with
him.
routing caused by stale route caches (struct route). Route caches
are sprinkled throughout PCBs, the IP fast-forwarding table, and
IP tunnel interfaces (gre, gif, stf).
Stale IPv6 and ISO route caches will be treated by separate patches.
Thank you to Christoph Badura for suggesting the general approach
to invalidating route caches that I take here.
Here are the details:
Add hooks to struct domain for tracking and for invalidating each
domain's route caches: dom_rtcache, dom_rtflush, and dom_rtflushall.
Introduce helper subroutines, rtflush(ro) for invalidating a route
cache, rtflushall(family) for invalidating all route caches in a
routing domain, and rtcache(ro) for notifying the domain of a new
cached route.
Chain together all IPv4 route caches where ro_rt != NULL. Provide
in_rtcache() for adding a route to the chain. Provide in_rtflush()
and in_rtflushall() for invalidating IPv4 route caches. In
in_rtflush(), set ro_rt to NULL, and remove the route from the
chain. In in_rtflushall(), walk the chain and remove every route
cache.
In rtrequest1(), call rtflushall() to invalidate route caches when
a route is added.
In gif(4), discard the workaround for stale caches that involves
expiring them every so often.
Replace the pattern 'RTFREE(ro->ro_rt); ro->ro_rt = NULL;' with a
call to rtflush(ro).
Update ipflow_fastforward() and all other users of route caches so
that they expect a cached route, ro->ro_rt, to turn to NULL.
Take care when moving a 'struct route' to rtflush() the source and
to rtcache() the destination.
In domain initializers, use .dom_xxx tags.
KNF here and there.
NAT-T changes. Matches changes to reference non-nonexistent structs in
sys/netkey.
I have no clue if this is correct, but it matches the style in
sys/netkey, and (unlike the previous two revisions) it actually compiles...
because the sysctl() code wasn't setting the requestor-pid field in dump
responses, the reworked unicast dump wasn't setting the requestor pid, either.
More exaclty, the pid field was set to 0.
No problem for setkey(8), but racoon reportedly ignores SADB dump-responses
with any pid (including 0) which doesn't match its own pid. A private bug
report says the 0-valued pid field broke racoon code which attempts to recover
from death of a prior racoon process, by dumping the SADB at startup.
Fix by revising sys/netipsec, so that both the new unicast PF_KEY dump
responses and the sysctl code set the requestor pid field in all
response mesages to DUMP requests.
Introduce new socket-layer function sbappendaddrchain() to
sys/kern/uipc_socket2.c: like sbappendaddr(), only takes a chain of
records and appends the entire chain in one pass. sbappendaddrchain()
also takes an `sbprio' argument, which indicates the caller requires
special `reliable' handling of the socket-buffer. `sbprio' is
described in sys/sys/socketvar.h, although (for now) the different
levels are not yet implemented.
Rework sys/netipsec/key.c PF_KEY DUMP responses to build a chain of
mbuf records, one record per dump response. Unicast the entire chain
to the requestor, with all-or-none semantics.
Changed files;
sys/socketvar.h kern/uipc_socket2.c netipsec/key.c
Reviewed by:
Jason Thorpe, Thor Lancelot Simon, post to tech-kern.
Todo: request pullup to 2.0 branch. Post-2.0, rework sysctl() API for
dumps to use new record-chain constructors. Actually implement
the distinct service levels in sbappendaddrchain() so we can use them
to make PF_KEY ACQUIRE messages more reliable.
KAME sys/netkey/key.c rev 1.119 ke_sp_unlink()/key_sp_dead() logic.
I have been running a similar version for about 10 days now, and it
fixes the PCB-cache refcount problems for me.
Checked in as a candidate for pullup to the 2.0 branch.
key_prefered_oldsa, defaulted to 1 (on): preferring old SAs, based on
the ill-concieved Jenkins I-D, is broken by design. For now, just
turn it off, as the simplest way to fix this in the 2.0 branch.
Next step is to rip it out entirely: it was always a bad idea.
#1. Fix an off-by-one error in sysctl_net_key_dumpsa(), which was
passing sysctl argument name[1] to a helper. According to Andrew
Brown's revised dynamic sysctl schmea, it must instead pass name[0].
2. There is a naming glitch in using sysctl() for setkey(8): setkey
queries the same sysctl MIB numbers to dump IPsec database state,
irrepesctive of the underlying IPsec is KAME or FAST_IPSEC.
For this to work as expected, sys/netipsec must export net.key.dumpsa
and net.key.dumpsp via the identical MIB numbers used by sys/netkey.
``Make it so''. For now, renumber the sys/netipsec/key.c nodes;
post-2.0 we can use sysctl aliases.
3. For as-yet-unexplained reasons, the PF_KEY_V2 nodes are never
shown (or queried?) by sysctl(8). For 2.0, I am following an earlier
suggestion from Andrew Brown, and renumbering allthe FAST_IPSEC sysctl
nodes to appear under net.key at MIB number { CTL_NET, PF_KEY }. Since
the renumbering may change, the renumbering is done via a level of
indirection in the C preprocessor.
The nett result is that setkey(8) can find the nodes it needs for
setkey -D and setkey -PD: and that sysctl(8) finds all the FAST_IPSEC
sysctl nodes relatedy to IPsec keying, under net.key. Andrew Brown
has reviewed this patch and tentatively approved the changes, though
we may rework some of the changes in -current in the near future.
SPDs, and to warn about and reject any such attempts.
Addresses a security concern, that the (eas-yet incomplete, experimental)
FAST_IPSEC+INET6 does not honour IPv6 SPDs. The security risk is that
Naive users may not realize this, and their data may get leaked in
cleartext, rather than IPsec'ed, if they use IPv6.
Security issue raised by: Thor Lancelot Simon
reviewed and OKed by: Thor Lancelot Simon
2.0 Pullup request after: 24 hours for further public comment.
