Commit Graph

1961 Commits

Author SHA1 Message Date
thorpej 7cc07e11dc TRUE -> true, FALSE -> false 2007-02-22 06:16:03 +00:00
matt 93feeb1203 Fix lossage from boolean_t -> bool and updated x86 bus_dma. 2007-02-22 04:38:02 +00:00
thorpej 712239e366 Replace the Mach-derived boolean_t type with the C99 bool type. A
future commit will replace use of TRUE and FALSE with true and false.
2007-02-21 22:59:35 +00:00
dyoung 5493f188c7 KNF: de-__P, bzero -> memset, bcmp -> memcmp. Remove extraneous
parentheses in return statements.

Cosmetic: don't open-code TAILQ_FOREACH().

Cosmetic: change types of variables to avoid oodles of casts: in
   in6_src.c, avoid casts by changing several route_in6 pointers
   to struct route pointers.  Remove unnecessary casts to caddr_t
   elsewhere.

Pave the way for eliminating address family-specific route caches:
   soon, struct route will not embed a sockaddr, but it will hold
   a reference to an external sockaddr, instead.  We will set the
   destination sockaddr using rtcache_setdst().  (I created a stub
   for it, but it isn't used anywhere, yet.)  rtcache_free() will
   free the sockaddr.  I have extracted from rtcache_free() a helper
   subroutine, rtcache_clear().  rtcache_clear() will "forget" a
   cached route, but it will not forget the destination by releasing
   the sockaddr.  I use rtcache_clear() instead of rtcache_free()
   in rtcache_update(), because rtcache_update() is not supposed
   to forget the destination.

Constify:

   1 Introduce const accessor for route->ro_dst, rtcache_getdst().

   2 Constify the 'dst' argument to ifnet->if_output().  This
     led me to constify a lot of code called by output routines.

   3 Constify the sockaddr argument to protosw->pr_ctlinput.  This
     led me to constify a lot of code called by ctlinput routines.

   4 Introduce const macros for converting from a generic sockaddr
     to family-specific sockaddrs, e.g., sockaddr_in: satocsin6,
     satocsin, et cetera.
2007-02-17 22:34:07 +00:00
dyoung c80b247b25 Join lines. 2007-02-17 05:36:29 +00:00
dyoung 7ed406393a s/in_rtflush/in_rtcache/g 2007-02-17 05:35:50 +00:00
dyoung f272db0899 bzero -> memset 2007-02-17 05:31:39 +00:00
dyoung 08f386424b bcopy -> memcpy
Use NULL instead of (struct rtentry *)0.
2007-02-17 05:31:15 +00:00
degroote e2211411a4 Commit my SoC work
Add ipv6 support for fast_ipsec
Note that currently, packet with extensions headers are not correctly
supported
Change the ipcomp logic
2007-02-10 09:43:05 +00:00
dyoung ad4f290a37 bzero -> memset. 2007-01-29 06:00:11 +00:00
dyoung 24c98aa46f In ip_setmoptions(), don't leave a route cache (struct route) on
the stack if we exit with EADDRNOTAVAIL.
2007-01-29 05:59:30 +00:00
dyoung 0468886560 Cosmetic: remove extraneous, non-KNF parentheses. Change a
sizeof(type) to a sizeof(*ptr) so the correctness of the statement
is correct "at a glance" (or so I hope).
2007-01-29 05:48:56 +00:00
dyoung 4921da146d bzero -> memset 2007-01-29 05:46:33 +00:00
dyoung d8316ce94e KNF: bzero -> memset, change (struct in_ifaddr *)0 to NULL. 2007-01-26 19:15:26 +00:00
dyoung 3cd4307b24 bzero -> memset 2007-01-26 19:12:21 +00:00
joerg 7645663790 Unconditionally zero and free iproute. Before IPsec tunnel packets e.g.
from ICMP could end up in leaking the reference in iproute, as
ipsec4_output would overwrite the ro pointer in state.

Tested by Juraj Hercek and supposed to fix PR kern/35273 and kern/35318.
2007-01-13 23:13:46 +00:00
yamt 48bbcc400d ip_output: reload ip_len after running pfil_run_hooks.
pf "fragment reassemble" rule can change it, at least.
2007-01-08 04:14:54 +00:00
joerg fbd2dfee02 Use rtcache_free for consistency. 2007-01-05 15:47:33 +00:00
elad b2eb9a5389 Consistent usage of KAUTH_GENERIC_ISSUSER. 2007-01-04 19:07:03 +00:00
ad dd85fd121f ipintr(): check if the queue is empty before looping. Hardly a giant
win, but removed 30% of splnet() calls in one local test.
2006-12-22 05:34:02 +00:00
christos ae91f9ec0a According to ANSI c the only portably defined bitfields are unsigned int ones. 2006-12-17 20:07:36 +00:00
joerg eb04733c4e Introduce new helper functions to abstract the route caching.
rtcache_init and rtcache_init_noclone lookup ro_dst and store
the result in ro_rt, taking care of the reference counting and
calling the domain specific route cache.
rtcache_free checks if a route was cashed and frees the reference.
rtcache_copy copies ro_dst of the given struct route, checking that
enough space is available and incrementing the reference count of the
cached rtentry if necessary.
rtcache_check validates that the cached route is still up. If it isn't,
it tries to look it up again. Afterwards ro_rt is either a valid again
or NULL.
rtcache_copy is used internally.

Adjust to callers of rtalloc/rtflush in the tree to check the sanity of
ro_dst first (if necessary). If it doesn't fit the expectations, free
the cache, otherwise check if the cached route is still valid. After
that combination, a single check for ro_rt == NULL is enough to decide
whether a new lookup needs to be done with a different ro_dst.
Make the route checking in gre stricter by repeating the loop check
after revalidation.
Remove some unused RADIX_MPATH code in in6_src.c. The logic is slightly
changed here to first validate the route and check RTF_GATEWAY
afterwards. This is sementically equivalent though.
etherip doesn't need sc_route_expire similiar to the gif changes from
dyoung@ earlier.

Based on the earlier patch from dyoung@, reviewed and discussed with
him.
2006-12-15 21:18:52 +00:00
dyoung c308b1c661 Here are various changes designed to protect against bad IPv4
routing caused by stale route caches (struct route).  Route caches
are sprinkled throughout PCBs, the IP fast-forwarding table, and
IP tunnel interfaces (gre, gif, stf).

Stale IPv6 and ISO route caches will be treated by separate patches.

Thank you to Christoph Badura for suggesting the general approach
to invalidating route caches that I take here.

Here are the details:

Add hooks to struct domain for tracking and for invalidating each
domain's route caches: dom_rtcache, dom_rtflush, and dom_rtflushall.

Introduce helper subroutines, rtflush(ro) for invalidating a route
cache, rtflushall(family) for invalidating all route caches in a
routing domain, and rtcache(ro) for notifying the domain of a new
cached route.

Chain together all IPv4 route caches where ro_rt != NULL.  Provide
in_rtcache() for adding a route to the chain.  Provide in_rtflush()
and in_rtflushall() for invalidating IPv4 route caches.  In
in_rtflush(), set ro_rt to NULL, and remove the route from the
chain.  In in_rtflushall(), walk the chain and remove every route
cache.

In rtrequest1(), call rtflushall() to invalidate route caches when
a route is added.

In gif(4), discard the workaround for stale caches that involves
expiring them every so often.

Replace the pattern 'RTFREE(ro->ro_rt); ro->ro_rt = NULL;' with a
call to rtflush(ro).

Update ipflow_fastforward() and all other users of route caches so
that they expect a cached route, ro->ro_rt, to turn to NULL.

Take care when moving a 'struct route' to rtflush() the source and
to rtcache() the destination.

In domain initializers, use .dom_xxx tags.

KNF here and there.
2006-12-09 05:33:04 +00:00
joerg c882b2cbc1 When a dynamic route is deleted in in_losing and in6_losing, rtrequest
is called, but the current reference via the PCB is not removed. This
is effectively a leaked reference. Call rtfree unconditional.
2006-12-08 16:06:22 +00:00
jdc 6d7a98c7bc Explicitly include <sys/device.h>, which we need for `struct device'.
This allows us to compile on !i386.  (On i386, <machine/cpu.h> pulled
in <sys/device.h> for us, thus hiding the compilation problem.)

OK by rpaulo@.
2006-12-06 21:42:38 +00:00
yamt 8836e5995d add some more tcp mowners. 2006-12-06 09:10:45 +00:00
yamt f5830ee995 - make tcp_reass static.
- constify.
2006-12-06 09:08:27 +00:00
dyoung 2bbeb90e43 Remove stray curly brace. Thanks, yamt! 2006-12-06 04:29:09 +00:00
dyoung d7a8741d84 KNF. 2006-12-06 00:39:56 +00:00
dyoung 0394fe1e42 KNF. 2006-12-06 00:38:16 +00:00
yamt 401e606d0d move tso-by-software code to their own files. no functional changes. 2006-11-25 18:41:36 +00:00
christos 3d98aa3f4b fix spelling of accidentally; from Zapher 2006-11-24 19:37:02 +00:00
martin 54b769f306 Make it compile on IPv4-only kernels 2006-11-23 23:12:59 +00:00
yamt 809ec70bcf implement ipv6 TSO.
partly from Matthias Scheler.  tested by him.
2006-11-23 19:41:58 +00:00
tron 9506122aab Backout accidental commit which broke kernel builds. 2006-11-23 09:43:56 +00:00
rpaulo 5423539f94 New EtherIP driver based on tap(4) and gif(4) by Hans Rosenfeld.
Notable changes:
	* Fixes PR 34268.
	* Separates the code from gif(4) (which is more cleaner).
	* Allows the usage of STP (Spanning Tree Protocol).
	* Removed EtherIP implementation from gif(4)/tap(4).

Some input from Christos.
2006-11-23 04:07:07 +00:00
dyoung 8cfa750e0f Use LIST_FOREACH(). 2006-11-16 22:54:14 +00:00
dyoung 641edc65f1 Cosmetic: s/g_proto/sc_proto/. Remove superfluous parentheses and
curly braces.
2006-11-16 22:26:35 +00:00
christos 168cd830d2 __unused removal on arguments; approved by core. 2006-11-16 01:32:37 +00:00
rpaulo 7c10983a54 Remove ifndef COMPAT_42. No objections in tech-net. 2006-11-14 12:05:55 +00:00
dyoung 2d1d707101 Plug memory leak. 2006-11-13 05:48:00 +00:00
dyoung a25eaede91 Add a source-address selection policy mechanism to the kernel.
Also, add ioctls SIOCGIFADDRPREF/SIOCSIFADDRPREF to get/set preference
numbers for addresses.  Make ifconfig(8) set/display preference
numbers.

To activate source-address selection policies in your kernel, add
'options IPSELSRC' to your kernel configuration.

Miscellaneous changes in support of source-address selection:

        1 Factor out some common code, producing rt_replace_ifa().

        2 Abbreviate a for-loop with TAILQ_FOREACH().

        3 Add the predicates on IPv4 addresses IN_LINKLOCAL() and
          IN_PRIVATE(), that are true for link-local unicast
          (169.254/16) and RFC1918 private addresses, respectively.
          Add the predicate IN_ANY_LOCAL() that is true for link-local
          unicast and multicast.

        4 Add IPv4-specific interface attach/detach routines,
          in_domifattach and in_domifdetach, which build #ifdef
          IPSELSRC.

See in_getifa(9) for a more thorough description of source-address
selection policy.
2006-11-13 05:13:38 +00:00
yamt d4d55c3dc9 tcp_ctloutput: when called for a socket which is not AF_INET or AF_INET6,
panic rather than returning possibly leaking an mbuf.
2006-11-10 13:19:16 +00:00
yamt 22ffb8ee31 udp_ctloutput: plug a memory leak. 2006-11-10 13:02:32 +00:00
yamt 850e08319b remove some __unused in function parameters. 2006-11-10 13:01:55 +00:00
yamt d547c3b722 udp_ctloutput: remove unnecessary goto and break. 2006-11-10 13:00:23 +00:00
yamt 511f1a8ff8 udp_ctloutput: ansify. 2006-11-10 12:59:59 +00:00
christos 9217ff877d Fix typo (hi Elad) 2006-10-30 00:58:21 +00:00
elad adf8d7aab2 Introduce KAUTH_REQ_NETWORK_SOCKET_OPEN, to check if opening a socket is
allowed. It takes three int * arguments indicating domain, type, and
protocol. Replace previous KAUTH_REQ_NETWORK_SOCKET_RAWSOCK with it (but
keep it still).

Places that used to explicitly check for privileged context now don't
need it anymore, so I replaced these with XXX comment indiacting it for
future reference.

Documented and updated examples as well.
2006-10-25 22:49:22 +00:00
elad f2ce4f0704 Kill some KAUTH_GENERIC_ISSUSER. 2006-10-25 18:11:22 +00:00
elad 75939147ff Kill some KAUTH_GENERIC_ISSUSER. 2006-10-25 12:48:44 +00:00
yamt 80e1bbb713 add sack_dump(), a function to dump sack holes, if defined(DDB). 2006-10-21 10:26:21 +00:00
yamt 7253aad93f constify. 2006-10-21 10:24:47 +00:00
yamt c31e22237d - constify.
- make tcp_dooptions and tcpipqent_pool static.
2006-10-21 10:08:54 +00:00
liamjfoy cd64dacbef Remove some dead code - From OpenBSD Rev. 1.129 2006-10-20 19:13:02 +00:00
reinoud 78f5b5f9d5 Fix alignment problems causing regular panics in tpc_sack_option on
NetBSD/alpha and NetBSD/sparc. This fixes PR#34751.

The problem most likely started to show in gcc4 and is caused by the use of
a casting to an uint32_t pointer that is later copied from using memcpy.
Gcc detects the copying of 4 bytes from an uint32_t pointer and decides to
just replace it with an aligned copy causing the trap.

Fix provided by Izumi Tsutsui and ok'd by Martin.
2006-10-20 13:11:09 +00:00
rpaulo 8106a506d3 Use a better way to create sysctl subtrees for ECN and Congctl.
Inspired on ABC subtree.
2006-10-19 14:14:34 +00:00
yamt c549acefec tcp_reno_newack: remove an __unused because it's now used. 2006-10-19 11:42:32 +00:00
yamt df8e5bddfa tcp_reno_newack: regardless of sysctl setting, use L=1*SMSS when
we are doing retransmission.
2006-10-19 11:42:02 +00:00
yamt 81463c93c7 implement RFC3465 appropriate byte counting.
from Kentaro A. Kurahone, with minor adjustments by me.
the ack prediction part of the original patch was omitted because
it's a separate change.  reviewed by Rui Paulo.
2006-10-19 11:40:51 +00:00
dogcow 372e6ef309 now that we have -Wno-unused-parameter, back out all the tremendously ugly
code to gratuitously access said parameters.
2006-10-17 18:21:29 +00:00
yamt 389488e9b6 tcp_output: as a comment in tcp_sack_newack says, actually send
one or two segments on partial acks.  even if sack_bytes_rxmt==0,
if we are in fast recovory with sack, snd_cwnd has somewhat special
meaning here.  PR/34749.
2006-10-17 11:11:40 +00:00
yamt e1c6fffb40 tcp_input: if we have SACK, don't enter fastrecovery on three dupacks.
otherwise, we can enter fastrecovery due to DSACKs, which we treat
as dupacks here.  PR/34748.  reviewed by Rui Paulo.
2006-10-17 09:31:17 +00:00
rpaulo 21df8206df Export the tcp_do_rfc1948 variable to userland via sysctl.
The code to generate an ISS via an MD5 hash has been present in the
NetBSD kernel since 2001, but it wasn't even exported to userland at
that time. It was agreed on tech-net with the original author <thorpej>
that we should let the user decide if he wants to enable it or not.
Not enabled by default.
2006-10-16 18:13:56 +00:00
rpaulo 1c1f230e81 Move comments to proper places. 2006-10-15 17:53:30 +00:00
rpaulo a70594d346 Add a new tcp_congctl(9) structure member for congestion experienced callback.
Needed by HSTCP.
2006-10-15 17:45:06 +00:00
dogcow 44603cac1f more unused variable fallout. 2006-10-13 18:28:06 +00:00
elad 8c494ca741 Introduce KAUTH_REQ_NETWORK_SOCKET_CANSEE. Since we're not gonna be having
credentials on sockets, at least not anytime soon, this is a way to check
if we can "look" at a socket. Later on when (and if) we do have socket
credentials, the interface usage remains the same because we pass the
socket.

This also fixes sysctl for inet/inet6 pcblist.
2006-10-13 15:39:18 +00:00
rpaulo c1fc16d084 PR 34776: don't accept TCP connections to broadcast addresses.
Move the multicast/broadcast check above (before creating a syn_cache entry)
By Yasuoka Yasuoka.
2006-10-12 11:46:30 +00:00
christos 4d595fd7b1 - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
2006-10-12 01:30:41 +00:00
dogcow 55ddfc9aae change the MOWNER_INIT define to take two args; fix extant struct mowner
decls to use it. Makes options MBUFTRACE compile again and not whinge about
missing structure declarations. (Also makes initialization consistent.)
2006-10-10 21:49:14 +00:00
rpaulo a6762e54d7 Revert previous. The check is now done in tcp_congctl. 2006-10-10 11:13:02 +00:00
rpaulo e1b1f65f6b tcp_reno_newack(): bring the exact original code.
tcp_newreno_newack(): call tcp_reno_newack() if partialacks < 0.
2006-10-10 11:12:39 +00:00
yamt f5209007e9 tcp_input: don't call congctl->newack when doing fast retransmit. 2006-10-10 09:19:40 +00:00
yamt 2f7740a31e tcp_reno_newack/tcp_newreno_newack: remove stale comments. 2006-10-10 09:19:13 +00:00
yamt 8afc246107 tcp_newreno_newack: actually inflate cwnd as it used to do. 2006-10-10 08:31:02 +00:00
rpaulo f3330397f0 Modular (I tried ;-) TCP congestion control API. Whenever certain conditions
happen in the TCP stack, this interface calls the specified callback to
handle the situation according to the currently selected congestion
control algorithm.
A new sysctl node was created: net.inet.tcp.congctl.{available,selected}
with obvious meanings.
The old net.inet.tcp.newreno MIB was removed.
The API is discussed in tcp_congctl(9).

In the near future, it will be possible to selected a congestion control
algorithm on a per-socket basis.

Discussed on tech-net and reviewed by <yamt>.
2006-10-09 16:27:07 +00:00
yamt ce8b831234 tcp_output: don't make TSO duplicate CWR/ECE. 2006-10-08 11:10:59 +00:00
yamt 713f438722 tcp_output: don't try to send SACK option larger than txsegsize.
fix a panic like "panic: m_copydata: off 0, len -7".
2006-10-08 11:01:46 +00:00
yamt 94e70819e1 - make sackhole_pool static.
- unify duplicated hole allocation and accounting code.
(no functional changes.)
2006-10-07 20:16:04 +00:00
yamt 5a0a4d9df3 revert tcp_sack.c rev.1.15 because it's unnecessary.
all callers of these functions are at splsoftnet already:
	tcp_sack_option
		tcp_input ok

	tcp_del_sackholes
		tcp_input ok

	tcp_free_sackholes
		tcp_close ok
		tcp_timer_rexmt ok
		tcp_timer_2msl ok
2006-10-07 19:56:14 +00:00
yamt 38fb8d4a38 revert tcp_close part of tcp_subr.c rev.1.200 because it's unnecessary.
all callers of tcp_close are at splsoftnet already:
	tcp_close
		tcp_input ok
		tcp_disconnect
			tcp_usrreq ok
		tcp_usrclosed
			tcp_usrreq ok
			tcp_disconnect
		tcp_timer_2msl ok
		tcp_drop
			tcp_usrreq
			tcp_disconnect
			tcp_timer_rexmt ok
			tcp_timer_persist ok
			tcp_timer_keep ok
			tcp_input
			syn_cache_get
				tcp_input
2006-10-07 19:53:42 +00:00
yamt 8f0e8c48af tcp_sack_output: whitespace. 2006-10-07 19:26:45 +00:00
yamt c1f8725acd tcp_del_sackholes: whitespace. 2006-10-07 19:26:07 +00:00
yamt 87f4568336 tcp_output: remove duplicated code and tweak indent. no functional changes. 2006-10-07 16:16:42 +00:00
mrg 080ac7b6c8 add a missing semicolon from the previous commit. 2006-10-06 03:20:47 +00:00
tls 8cc016b4bc Protect calls to pool_put/pool_get that may occur in interrupt context
with spl used to protect other allocations and frees, or datastructure
element insertion and removal, in adjacent code.

It is almost unquestionably the case that some of the spl()/splx() calls
added here are superfluous, but it really seems wrong to see:

	s=splfoo();
	/* frob data structure */
	splx(s);
	pool_put(x);

and if we think we need to protect the first operation, then it is hard
to see why we should not think we need to protect the next.  "Better
safe than sorry".

It is also almost unquestionably the case that I missed some pool
gets/puts from interrupt context with my strategy for finding these
calls; use of PR_NOWAIT is a strong hint that a pool may be used from
interrupt context but many callers in the kernel pass a "can wait/can't
wait" flag down such that my searches might not have found them.  One
notable area that needs to be looked at is pf.

See also:

http://mail-index.netbsd.org/tech-kern/2006/07/19/0003.html
http://mail-index.netbsd.org/tech-kern/2006/07/19/0009.html
2006-10-05 17:35:19 +00:00
dbj aaabb4938b back out revision 1.144 calculating txsegsizep since it unmasks
other bugs.  See PR kern/34674
2006-10-01 22:29:20 +00:00
dbj 7c8cd0a2c8 consider sb_lowat when limiting the transmit length to keep acks on the wire 2006-09-28 04:32:47 +00:00
jeremy b91b1cdbb2 Fixed a bug in the timeout range constraint macro that can cause a timeout
to break free of the constraint if the range minimum boundary is larger than
the maximum boundary.

Discovered by jmg@FreeBSD.org.  (See FreeBSD's tcp_timer.h rev 1.31).
2006-09-26 06:39:22 +00:00
rpaulo 8917262dee Remove line that shouldn't have been committed. 2006-09-25 13:21:53 +00:00
rpaulo f3e1747995 PR/14806: NetBSD uses the wrong default TCP MSS.
No objections in tech-net.
2006-09-25 13:20:20 +00:00
sketch a38b4ece79 typo. 2006-09-25 12:24:47 +00:00
elad a56f110db9 PR/29766: Chris Ross: Incomplete correction of comments in netinet/in.c
Patch applied, thanks!
2006-09-23 20:54:07 +00:00
elad 83a5239b28 Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.
2006-09-19 21:42:29 +00:00
yamt a741fb2573 defflag IPFILTER_LOOKUP. 2006-09-17 13:43:15 +00:00
elad bada0c776a Don't use KAUTH_RESULT_* where it's not applicable.
Prompted by yamt@.
2006-09-13 10:07:42 +00:00
elad 5f7169ccb1 First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
  opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
  security model, called "bsd44". This is the default (and only) model we
  have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

  * There's a sample overlay model, sitting on-top of "bsd44", for
    fast experimenting with tweaking just a subset of an existing model.

    This is pretty cool because it's *really* straightforward to do stuff
    you had to use ugly hacks for until now...

  * And of course, documentation describing how to do the above for quick
    reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

	http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

  - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
  - Checks 'securelevel' directly,
  - Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)
2006-09-08 20:58:56 +00:00
dogcow f2d329dca0 remove more vestiges of CCITT, LLC, HDLC, NS, and NSIP. 2006-09-07 02:40:31 +00:00
rpaulo 2fb2ae3251 Import of TCP ECN algorithm for congestion control.
Both available for IPv4 and IPv6.
Basic implementation test results are available at
http://netbsd-soc.sourceforge.net/projects/ecn/testresults.html.

Work sponsored by the Google Summer of Code project 2006.
Special thanks to Kentaro Kurahone, Allen Briggs and Matt Thomas for their
help, comments and support during the project.
2006-09-05 00:29:35 +00:00
liamjfoy 3c3d7131af increment ips_total too.
ok matt thomas
2006-09-02 12:41:01 +00:00
dyoung 47be766fd3 Add a mode to gre(4) that sends GRE tunnel packets in UDP datagrams.
Fix MOBILE encapsulation.  Add many debugging printfs (mainly
concerning UDP mode).  Clean up the gre(4) code a bit.  Add the
capability to setup UDP tunnels to ifconfig.  Update documentation.

In UDP mode, gre(4) puts a GRE header onto transmitted packets,
and hands them to a UDP socket for transmission.  That is, the
encapsulation looks like this: IP+UDP+GRE+encapsulated packet.

There are two ways to set up a UDP tunnel.  One way is to tell the
source and destination IP+port to gre(4), and let gre(4) create
the socket.  The other way to create a UDP tunnel is for userland
to "delegate" a UDP socket to the kernel.
2006-08-31 17:46:16 +00:00
christos 2434b8bf99 Fix initializers. 2006-08-30 19:00:22 +00:00
christos da6e78aa67 fix initializer 2006-08-30 18:55:09 +00:00
christos cddf6d88fb static comes first 2006-08-30 18:54:19 +00:00
christos 67cdc0f9ea fix initializers 2006-08-30 18:53:04 +00:00
christos ca0d162d55 add missing initializers 2006-08-30 17:05:30 +00:00
christos dd762fc161 fix initializers and add const. 2006-08-30 16:40:03 +00:00
christos eb6054a9fe Fix initializers 2006-08-30 15:45:54 +00:00
yamt ea6892fdba icmp_input: don't assume relations between PRC_ and ICMP_ values. 2006-08-28 13:46:35 +00:00
christos 82b002de3d Remove excess initializer. 2006-08-28 02:53:03 +00:00
matt 6c8fa3224e One step closer to loadable domains. Store pointers to a domain's soft
interrupt queues so if_detach can remove packets to removed interfaces from
them.  This eliminates a lot of conditional ugly code in if.c
2006-08-25 19:33:50 +00:00
elad 5446ee0ef6 ugh.. more stuff that's overdue and should not be in 4.0: remove the
sysctl(9) flags CTLFLAG_READONLY[12]. luckily they're not documented
so it's only half regression.

only two knobs used them; proc.curproc.corename (check added in the
existing handler; its CTLFLAG_ANYWRITE, yay) and net.inet.ip.forwsrcrt,
that got its own handler now too.
2006-07-30 17:38:19 +00:00
dyoung 7559ef3351 Extract predicate M_UNWRITABLE(m, len), which is true iff len
consecutive bytes at the front of m are writable (i.e., neither
shared nor read-only).
2006-07-28 17:34:13 +00:00
dyoung 8cb43bea43 Fix mtod() usage. If we will write to the mbuf data, check whether
the data is read-only/shared and call m_pullup().  Otherwise,
extract a const pointer to the mbuf data.

XXX I should extract a new macro, M_WRITABLE(m, len), that is true
if m has len consecutive writable bytes at its front.

KNF slightly.

Use bpf_mtap_af().
2006-07-28 17:06:59 +00:00
dyoung bce72f7b6a Fix mtod() usage. If we will write to the mbuf data, check whether
the data is read-only/shared and call m_pullup().  Otherwise,
extract a const pointer to the mbuf data.

XXX I should extract a new macro, M_WRITABLE(m, len), that is true
if m has len consecutive writable bytes at its front.
2006-07-28 17:04:27 +00:00
dyoung ae0b3d534e Where mbuf data may be read-only/shared, use mtod(m, const ...).
Annotate a comparison and m_pullup() that seem unnecessary.
2006-07-28 16:30:55 +00:00
dyoung 788c34d9d0 Use bpf_mtap_af(). KNF slightly. 2006-07-28 16:26:20 +00:00
ad f474dceb13 Use the LWP cached credentials where sane. 2006-07-23 22:06:03 +00:00
rpaulo 25ec6d007f revert stuff that shouldn't have gone in. 2006-07-22 17:45:03 +00:00
rpaulo f5f6aa2ed3 TCP RFC is 793, not 783. 2006-07-22 17:39:48 +00:00
elad 77de54cbf0 get rid of CURTAIN() macro. inline the last use of it, together
with a nice XXX comment (assigned to me of course) that we should
be doing this differently.
2006-07-16 21:13:00 +00:00
tron e12e4b2966 Remove test for M_CSUM_TSOv6 flag which is not (yet) defined in
NetBSD-current.
2006-07-12 14:07:02 +00:00
tron 9563ec16dc Add diagnostic checks for hardware-assisted checksum related flags in
the mbuf which supposed to get sent out:
- Complain in ip_output() if any of the IPv6 related flags are set.
- Complain in ip6_output() if any of the IPv4 related flags are set.
- Complain in both functions if the flags indicate that both a TCP and
  UCP checksum should be calculated by the hardware.
2006-07-12 13:11:27 +00:00
peter b794520dcd Wrap long lines, unwrap a short line. 2006-07-10 15:37:26 +00:00
peter fac34f3d31 Moves the PF_GENERATED m_tag to the new packet in icmp_error.
This is needed because the pf code can call icmp_error with setting
this tag, but the new packet should not be filtered when it comes back
to pf(4).

ok christos@
2006-07-10 15:35:39 +00:00
riz a06a21e5d3 Prototype for tvtohz() is no longer needed here. 2006-06-13 15:57:15 +00:00
riz 58d052216c Remove implementation of tvtohz() - since the timecounters branch
was merged, this is now in sys/kern/kern_clock.c .
2006-06-13 15:43:04 +00:00
kardel de4337ab21 merge FreeBSD timecounters from branch simonb-timecounters
- struct timeval time is gone
  time.tv_sec -> time_second
- struct timeval mono_time is gone
  mono_time.tv_sec -> time_uptime
- access to time via
	{get,}{micro,nano,bin}time()
	get* versions are fast but less precise
- support NTP nanokernel implementation (NTP API 4)
- further reading:
  Timecounter Paper: http://phk.freebsd.dk/pubs/timecounter.pdf
  NTP Nanokernel: http://www.eecis.udel.edu/~mills/ntp/html/kern.html
2006-06-07 22:33:33 +00:00
liamjfoy 62438e22ea remove some dead code
ok christos@
2006-05-28 11:07:04 +00:00
bouyer 01307555ec Revert rev 1.241: calling m_makewritable() in tcp_input causes problems when
it has to change the mbuf chain. I experience hard hang on a Xen2 domU after
TCP connections have been closed, and a crash has been reported which may be
caused by this too.
2006-05-27 13:35:20 +00:00
bouyer bc93583ffe If we're going to byteswap fields in the TCP header, make sure the mbuf
area is writable first.
2006-05-25 21:49:19 +00:00
bouyer df9be102c5 Make sure the mbuf is writable before trying to write to it. 2006-05-25 21:33:12 +00:00
liamjfoy 14c608becb remove a little white space 2006-05-25 15:22:05 +00:00
liamjfoy d8d9494bf9 Add a check for our own advertisements. This is due to non-simplex
interfaces which received the packets they have just sent.

From: OpenBSD (rev. 1.124)
ok: christos@
2006-05-24 13:39:37 +00:00
liamjfoy 4876c304b1 Integrate Common Address Redundancy Procotol (CARP) from OpenBSD
'pseudo-device	carp'

Thanks to: joerg@ christos@ riz@ and others who tested
Ok: core@
2006-05-18 09:05:49 +00:00
christos fc6d984beb kauth fallout 2006-05-15 00:05:16 +00:00
elad 874fef3711 integrate kauth. 2006-05-14 21:19:33 +00:00
christos 8f60e3b3e5 Comment out attribute packed. Gcc4 warns us that the field is too narrow
for packing. Produces the same size struct on i386 (28 bytes)
2006-05-14 02:34:41 +00:00
mrg 126f7e1139 since ar_tha() can return NULL, don't pass it directly to functions
that expect real addresses.  explicitly KASSERT() that it is not
NULL in the kernel and just avoid using it userland.

(the kernel could be more defensive about this, but, until now it
would have just crashed anyway.)
2006-05-12 01:20:33 +00:00
mrg 084c052803 quell GCC 4.1 uninitialised variable warnings.
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-10 21:53:14 +00:00
liamjfoy 64c2ef1711 #if -> #ifdef
ok christos
2006-05-08 18:50:12 +00:00
rpaulo de8db47547 Add support for RFC 3542 Adv. Socket API for IPv6 (which obsoletes 2292).
* RFC 3542 isn't binary compatible with RFC 2292.
* RFC 2292 support is on by default but can be disabled.
* update ping6, telnet and traceroute6 to the new API.

From the KAME project (www.kame.net).
Reviewed by core.
2006-05-05 00:03:21 +00:00
liamjfoy 79f53c18fe - use MAXTTL
ok christos@
2006-04-25 08:29:08 +00:00
christos 49cd195740 Coverity CID 1153: Add KASSERT before deref. 2006-04-15 02:33:41 +00:00
christos 4fd8acf0f3 Coverity CID 1152: Add KASSERT before deref. 2006-04-15 02:32:22 +00:00
christos ddb5372e69 Coverity CID 1149: Add KASSERT before deref. 2006-04-15 02:30:39 +00:00
christos 7a396ae9a9 Coverity CID 1148: Add KASSERT before deref. 2006-04-15 02:29:12 +00:00
christos f190fa88ca Coverity CID 1134: Protect against NULL deref. 2006-04-15 02:24:12 +00:00
christos 3e3a249d3c Move pf2 assignment after we've assigned pf. 2006-04-15 00:29:25 +00:00
christos 519309ea6e Coverity CID 1154: Prevent NULL deref. 2006-04-14 23:17:24 +00:00
christos 0f609f1bfa Coverity CID 738: Fix the query size vs. result returning setup. 2006-04-14 23:09:16 +00:00
dyoung 4db39a7dbf When reflecting an ICMP Echo, do not scribble over read-only/shared
mbuf storage.
2006-03-29 21:13:55 +00:00
seanb c6d79d21de Slight simplification of hdr len calculation in tcp_segsize().
No functional change.
2006-03-25 13:34:35 +00:00
matt 4c71408df5 An MTU can't be negative so store them in unsigned variables. 2006-03-22 01:07:24 +00:00
wiz e2a71c2aab 'advertisment' -> 'advertisement', from leonardo chiquitto filho
via jmc@openbsd.
2006-03-07 18:15:28 +00:00
rpaulo 8c2379fd97 NDP-related improvements:
RFC4191
	- supports host-side router-preference

	RFC3542
	- if DAD fails on a interface, disables IPv6 operation on the
          interface
	- don't advertise MLD report before DAD finishes

	Others
	- fixes integer overflow for valid and preferred lifetimes
	- improves timer granularity for MLD, using callout-timer.
	- reflects rtadvd's IPv6 host variable information into kernel
	  (router only)
	- adds a sysctl option to enable/disable pMTUd for multicast
          packets
	- performs NUD on PPP/GRE interface by default
	- Redirect works regardless of ip6_accept_rtadv
	- removes RFC1885-related code

From the KAME project via SUZUKI Shinsuke.
Reviewed by core.
2006-03-05 23:47:08 +00:00
christos 23ecfee197 Handle IPSEC_NAT_T in the FAST_IPSEC case.
XXX: need to fix the FAST_IPSEC code now.
2006-02-23 01:35:19 +00:00
joerg 34096c9b32 Print the source and destination IP in ip_forward's DIAGNOSTIC code
with inet_ntoa, making it more human friendly.

From Liam J. Foy in private mail.
2006-02-18 17:47:07 +00:00
rpaulo ae6865ba83 PR 13952: Noritoshi Demizu: correct the TCP window information update check. 2006-02-18 17:34:49 +00:00
perry fbae48b901 Change "inline" back to "__inline" in .h files -- C99 is still too
new, and some apps compile things in C89 mode. C89 keywords stay.

As per core@.
2006-02-16 20:17:12 +00:00
riz 854279801b If TCP_SIGNATURE is defined, include netinet6/scope6_var.h for the
prototype of in6_clearscope().  Kernels with options TCP_SIGNATURE now
compile again after the IPv6 scoped address changes.
2006-02-02 05:52:23 +00:00
elad 6a22a76f5c fix tyop.
pr 32678 from yves emmanuel jutard.
2006-01-31 17:19:39 +00:00
rpaulo 78678b130a Better support of IPv6 scoped addresses.
- most of the kernel code will not care about the actual encoding of
  scope zone IDs and won't touch "s6_addr16[1]" directly.
- similarly, most of the kernel code will not care about link-local
  scoped addresses as a special case.
- scope boundary check will be stricter.  For example, the current
  *BSD code allows a packet with src=::1 and dst=(some global IPv6
  address) to be sent outside of the node, if the application do:
    s = socket(AF_INET6);
    bind(s, "::1");
    sendto(s, some_global_IPv6_addr);
  This is clearly wrong, since ::1 is only meaningful within a single
  node, but the current implementation of the *BSD kernel cannot
  reject this attempt.
- and, while there, don't try to remove the ff02::/32 interface route
  entry in in6_ifdetach() as it's already gone.

This also includes some level of support for the standard source
address selection algorithm defined in RFC3484, which will be
completed on in the future.

From the KAME project via JINMEI Tatuya.
Approved by core@.
2006-01-21 00:15:35 +00:00
perry f8824a9b43 change comment from __const__ to const 2005-12-24 23:43:17 +00:00
perry 0f0296d88a Remove leading __ from __(const|inline|signed|volatile) -- it is obsolete. 2005-12-24 20:45:08 +00:00
christos f01a2f5714 Define INADDR_NONE when we are in the kernel too. 2005-12-20 19:32:30 +00:00
christos 95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
elad 9702e98730 Multiple inclusion protection, as suggested by christos@ on tech-kern@
few days ago.
2005-12-10 23:31:41 +00:00
manu 9d0ec64222 Fix a bug in ESP over UDP: because udp4_espinudp() called m_pullup, it
could modify the struct mbuf and calling functions (udp_input() and
udp4_realinput()) would have used a garbled local copy of the pointer.

The fix is not perfect. udp4_espinudp() should use m_pulldown()...
2005-12-09 15:36:34 +00:00
yamt d3ac0a8b69 revert rev.1.72 as it isn't necessary. 2005-11-22 17:52:38 +00:00
dsl c24781af04 Pass the current process structure to in_pcbconnect() so that it can
pass it to in_pcbbind() so that can allocate a low numbered port
if setsockopt() has been used to set IP_PORTRANGE to IP_PORTRANGE_LOW.
While there, fail in_pcbconnect() if the in_pcbbind() fails - rather
than sending the request out from a port of zero.
This has been largely broken since the socket option was added in 1998.
2005-11-15 18:39:46 +00:00
christos 2fa7cb2348 Remove redundant assignment (from Liam Foy) 2005-11-10 13:40:38 +00:00
christos 8481673c7a Don't decrement the ttl, until we are sure that we can forward this packet.
Before if there was no route, we would call icmp_error with a datagram
packet that has an incorrect checksum. (From Liam Foy)
2005-11-01 21:21:09 +00:00
christos ff7f1eddad No need to pass an interface when only the mtu is needed. From OpenBSD via
Liam Foy.
2005-10-23 18:38:53 +00:00
christos 30756e31a3 small list macro cleanup:
- remove duplicate LIST_FIRST (Liam Foy)
- change to use LIST_FOREACH or for () instead of while () for consistency
2005-10-17 19:51:24 +00:00
seanb 6d8b694cb5 - Close NULL dereference when a GIFALIAS is performed on
a non existant address.
- Code review: christos
2005-09-28 17:56:27 +00:00
dyoung a58bd46ec2 People have to read this code, so I am removing the double-negative
tautology, #ifndef notdef, which is not only superfluous, but easily
misread as #ifdef notyet.
2005-09-19 05:28:46 +00:00
seb cf017dd18f Replace plain 255 by MAXTTL. 2005-09-11 22:15:19 +00:00
christos 8c1f164eb6 Allow the multicast_ttl and the multicast_loop options to be set with both
u_char and u_int option variables. Original patch from seb.
2005-09-11 21:57:24 +00:00
elad 348574574d Implement curtain for AF_INET{,6} PCB lists. 2005-09-07 17:58:13 +00:00
rpaulo 67a0c36218 Correct SYSCTL_DESCR for tcp.debx. 2005-09-06 02:57:04 +00:00
rpaulo 37cbe61e67 Implement tcp.inet{,6}.tcp{,6}.(debug|debx) when TCP_DEBUG is set. They
can be used to ``transliterate protocol trace'' like trpt(8) does.
2005-09-06 02:41:14 +00:00
rpaulo f8bcc940fb Wrap two big lines. 2005-09-06 01:05:38 +00:00
kleink c69ab4901b udp4_espinudp(): don't assume that the Non-ESP marker (or UDP payload)
is aligned on a 64-bit boundary.
2005-09-03 18:01:07 +00:00
christos 2368c3b779 make ICMPPRINTFS work; from Liam Foy. 2005-08-19 12:29:18 +00:00
yamt 2e85eff671 - introduce M_MOVE_PKTHDR and use it where appropriate.
intended to be mostly API compatible with openbsd/freebsd.
- remove a glue #define in netipsec/ipsec_osdep.h.
2005-08-18 00:30:58 +00:00
christos 622690226a If called from syn_cache_add, we need to initialize t_state before calling
tcp_dooptions. Pointed out by yamt.
2005-08-12 14:41:00 +00:00
hubertf a72fe4e4bf Clarify comment that "the protocol specification dated September, 1981"
is really RFC 793.
2005-08-12 04:19:22 +00:00
christos 5910d08b05 Don't process TCP options in SYN packets after the connection has
been established. (FreeBSD-SA-05:15.tcp)
2005-08-11 22:25:18 +00:00
yamt b211b85ff4 wrap INET-only code by #if defined(INET). 2005-08-10 13:07:21 +00:00
yamt f02551ec2d move {tcp,udp}_do_loopback_cksum back to tcp/udp
so that they can be referenced by ipv6.
2005-08-10 13:06:49 +00:00
yamt 8220c378e6 device independent part of ipv6 rx checksum offloading. 2005-08-10 13:05:16 +00:00
yamt 40a140d919 ipv6 tx checksum offloading. reviewed by Jason Thorpe. 2005-08-10 12:58:37 +00:00
elad 6439f2618f Add sysctls for IP, ICMP, TCP, and UDP statistics. 2005-08-05 09:21:25 +00:00
gdt e25f2a0d87 Restore to working order; this has apparently been nonworking since
the decapsulator dispatch changes in 2001.  Problems found and fixed
by Christine Jones of BBN.  Specifically:

Check for a packet's protocol to be ENCAP_PROTO, not AF_INET.

Remove one-back cache for last vif, because vif_encapcheck is called
for each vif, rather than being expected to find the appropriate vif.
The cache usage caused packets to be input on the wrong vif and hence
usually dropped.

In vif_encapcheck, verify the local source as well.  While mrouted
endeavors not to create multiple tunnels with a peer, a packet
arriving with the wrong local address is still wrong and should not be
accepted.  (This is a correctness nit, not a security issue.)  Order
checks to fail quickly for packets being checked to see if they match
a vif other than the one they belong on (essentially, check peer
source address in outer header first).

Claim 69 bits of match (32 each from outer src/dst and 5 from checking
that inner dst is within 224/5).  This should result in the vif having
a higher priority for multicast packets compared to a parallel gif(4)
tunnel, and that both seems appropriate if both are configured and
seems to match the semantics expected by the decapsulator dispatch
machinery.

(These changes were made in 2.99.15 and about a dozen nodes are
running them with many vifs.  ip_mroute.c has not changed
significantly since then (February 2005) and the changes applied
cleanly to current and compile cleanly.)
2005-08-03 18:20:11 +00:00
christos afe9d603ec PR/30844: Gert Doering: Non-inet traffic is passed to bpf incorrectly (as inet) 2005-07-26 21:26:48 +00:00
riz fba9a3bda6 Add a definition for TCPOLEN_SIGLEN from OpenBSD, so a kernel with
options TCP_SIGNATURE will compile again after the new PMTU checks
were brought in from OpenBSD.  Approved by christos.
2005-07-21 17:32:11 +00:00
he 4047396e46 Make this build without INET6. 2005-07-20 08:05:43 +00:00
christos 89940190d0 Implement PMTU checks from:
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html

1. Don't act on ICMP-need-frag immediately if adhoc checks on the
advertised MTU fail. The MTU update is delayed until a TCP retransmit
happens.
2. Ignore ICMP Source Quench messages meant for TCP connections.

From OpenBSD.
2005-07-19 17:00:02 +00:00
gdt b0239c745e Add PR_PURGEIF flag for protocols to indicate that the protocol might
store a struct ifnet *, and define it for udp/tcp/rawip for INET and
INET6.  When deleting a struct ifnet, invoke PRU_PURGEIF on all
protocols marked with PR_PURGEIF.  Closes PR kern/29580 (mine).
2005-07-19 12:58:24 +00:00
xtraeme 997ffdbad9 Move ipl.h into the ipfilter block, which is the right place. 2005-07-09 14:15:11 +00:00
christos a85b0c68e0 Normalize our PAWS code with Free and Open, as mentioned in tech-security. 2005-06-30 02:58:28 +00:00
seanb d7185c5796 - Return ICMP_UNREACH_NET when no route found as per
section 4.3.3.1 of rfc1812.
2005-06-28 19:38:58 +00:00
drochner de48323ae9 typo in comment 2005-06-28 19:16:02 +00:00
mlelstv d23f1d6e16 expire cached route. Fixes PR 22792. 2005-06-26 10:39:21 +00:00
atatat df13e3579e Change the rest of the sysctl subsystem to use const consistently.
The __UNCONST macro is now used only where necessary and the RW macros
are gone.  Most of the changes here are consumers of the
sysctl_createv(9) interface that now takes a pair of const pointers
which used not to be.
2005-06-20 02:49:18 +00:00
atatat 420d91208b Properly fix the constipated lossage wrt -Wcast-qual and the sysctl
code.  I know it's not the prettiest code, but it seems to work rather
well in spite of itself.
2005-06-09 02:19:59 +00:00
yamt 0e70c535bf tcp_input: don't overload opti.ts_ecr. 2005-06-06 12:10:09 +00:00
martin 71d020f371 Since we decided "const struct mbuf *" would not do the right thing (tm),
remove ~all const from mbuf pointers.
2005-06-06 06:06:50 +00:00
martin 4ba4736381 Adapt to ip_encap.h constification. 2005-06-06 04:51:06 +00:00
christos 578e0f23a2 make this compile again. 2005-06-06 02:47:59 +00:00
martin 782608e87b Sprinkle some const 2005-06-03 21:40:56 +00:00
tron c86b2622dd Change the first argument of the encapsulation check function from
"const struct mbuf *" to "struct mbuf *". Without this change the
actual implementation cannot even use m_copydata() on the mbuf chain
which is broken.
2005-06-02 15:21:35 +00:00
tron 41dcb3a310 Remove type casts and lint directives which are now longer necessary
because the first argument of m_copydata() is "const struct mbuf *" now.
2005-06-02 10:54:58 +00:00
riz c86368208b Fix some const fallout. 2005-06-02 04:40:46 +00:00
drochner 49d230fa91 need a "const" 2005-06-01 12:27:15 +00:00
blymn e703150707 Unconstify rnode to prevent compile error when GATEWAY option set. 2005-06-01 09:45:15 +00:00
christos ea2d4204b6 - add const
- remove bogus casts
- avoid nested variables
2005-05-29 21:41:23 +00:00
christos 00c7362be7 change casts to proper unconst. mark XXXUNCONST 2005-05-29 21:40:27 +00:00
christos 52d3dc717e - remove local copy of hexdigits.
- sprinkle const
- use mem*() instead of b*()
2005-05-29 21:39:21 +00:00
christos 5e5ed54bfe remove stupid hand-rolled loop and kernel conditional. 2005-05-29 21:38:37 +00:00
yamt f398966b60 tcp_output: account FIN when building sack option. 2005-05-08 04:52:05 +00:00
yamt a448e5be5b tcp_output: don't try to send more data than we have. PR/30160. 2005-05-08 04:51:05 +00:00
yamt 0afea4b00f tcp_output: clear TH_FIN where appropriate. related to PR/30160. 2005-05-08 04:48:47 +00:00
yamt b8690cc289 tcp_sack_option: ignore sack beyond snd_max. 2005-05-08 04:46:20 +00:00
christos 761bd09636 PR/30154: YAMAMOTO Takashi: tcp_close locking botch
chgsbsize() as mentioned in the PR can be called from an interrupt context
via tcp_close(). Avoid calling uid_find() in chgsbsize().
- Instead of storing so_uid in struct socketvar, store *so_uidinfo
- Add a simple lock to struct uidinfo.
2005-05-07 17:42:09 +00:00
matt 89ba134744 Add #include <sys/protosw.h> when _KERNEL 2005-05-06 04:28:37 +00:00
martti 840228057a Install netinet/ipl.h (bin/30095) 2005-05-01 14:57:27 +00:00
manu e0d963d34b Fix memory leak 2005-04-29 13:06:23 +00:00
yamt 34c3fec469 move decl of inetsw to its own header to avoid array of incomplete type.
found by gcc4.  reported by Adam Ciarcinski.
2005-04-29 10:39:09 +00:00
manu cddc307094 Fix build problem after recent NAT-T changes 2005-04-26 05:37:45 +00:00
manu 52786ce730 Don't sleep when handling ESP over UDP packets. 2005-04-25 20:37:06 +00:00
manu 455d55f55b Enhance IPSEC_NAT_T so that it can work with multiple machines behind the
same NAT.
2005-04-23 14:05:28 +00:00
yamt 23cd288d37 ip_output: handle the case M_CSUM_TSOv4 but !IFCAP_TSOv4. 2005-04-18 22:06:28 +00:00
yamt fa67035590 add a function to handle M_CSUM_TSOv4 by software. 2005-04-18 21:55:06 +00:00
yamt e5a2b5a4a4 fix problems related to loopback interface checksum omission. PR/29971.
- for ipv4, defer decision to ip layer as h/w checksum offloading does
  so that it can check the actual interface the packet is going to.
- for ipv6, disable it.
  (maybe will be revisited when it implements h/w checksum offloading.)

ok'ed by Jason Thorpe.
2005-04-18 21:50:25 +00:00
yamt 0b4d50d7bd when doing TSO, avoid to use duplicated ip_id heavily.
XXX ip_randomid
2005-04-07 12:22:47 +00:00
kurahone f7707899c1 Added sysctl tunable limits for the number of maximum SACK holes
per connection and per system.

Idea taken from FreeBSD.
2005-04-05 01:07:17 +00:00
yamt 4b935040d0 tcp_input: update a comment to match with the code. 2005-04-03 05:02:46 +00:00
is a0c9bc9616 Add IPv6 over GRE (contributed by Gert Doering in PR 29150). 2005-03-30 16:34:54 +00:00
yamt 73a5d8f913 s of sack is selective, not selection. pointed by Michael Eriksson. 2005-03-30 11:09:16 +00:00
yamt 8b0967ff45 protect tcpipqent with splvm. 2005-03-29 20:10:16 +00:00
yamt c08e90ff51 tcp_output: lock reass queue when building sack. 2005-03-29 20:09:24 +00:00
yamt 2c742b20e6 ip_reass: clear stale csum_flags. 2005-03-29 09:37:08 +00:00
christos 3136f75efa defopt IPFILTER_DEFAULT_BLOCK 2005-03-26 18:08:42 +00:00
kurahone 0eb940bc75 TCP/SACK changes from FreeBSD.
Ignore the SACK option if
 * The packet is not an ACK.
 * The ACK is outside of snd_una -> snd_max
2005-03-18 21:25:09 +00:00
yamt df05ca7085 simplify data receiver side sack processing.
- introduce t_segqlen, the number of segments in segq/timeq.
  the name is from freebsd.
- rather than maintaining a copy of sack blocks (rcv_sack_block[]),
  build it directly from the segment list when needed.
2005-03-16 00:39:56 +00:00
yamt 0446b7c3e3 - use full sized segments unless we actually have SACKs to send.
- avoid TSO duplicate D-SACK.
- send SACKs regardless of TF_ACKNOW.
- don't clear rcv_sack_num when transmitting.

discussed on tech-net@.
2005-03-16 00:38:27 +00:00
yamt 9482bc7356 don't try to use TSO to transmit a single segment.
- there's no benefit.
- rtl8169 seems to be stuck with it.
2005-03-12 07:53:08 +00:00
matt 7dfa1d8cf7 Set ip_len to 0 in the wm driver when TSO is being used. 2005-03-11 17:07:51 +00:00
atatat 5b8a6c916d Revert the change that made kern.file2 and net.*.*.pcblist into nodes
instead of structs.  It had other deleterious side-effects that are
rather nasty.  Another solution must be found.
2005-03-11 06:16:15 +00:00
thorpej 3901f760df In ip_fragment():
- Use the correct IP header length variable for other-than-first packets.
- Remove redundant setting of the original IP header length in the first
  packet's csum_data.  (It's already set before ip_fragment() is called
  in 1.147.)
2005-03-10 06:03:00 +00:00
atatat d945605f5b Make this build without INET6 xor INET (hah!) again. 2005-03-10 05:49:14 +00:00
atatat ca63da437a Change types of kern.file2 and net.*.*.pcblist to NODE 2005-03-10 05:43:25 +00:00
atatat 7c62c74d09 Add the following nodes to the sysctl tree:
net.local.stream.pcblist
	net.local.dgram.pcblist
	net.inet.tcp.pcblist
	net.inet.udp.pcblist
	net.inet.raw.pcblist
	net.inet6.tcp6.pcblist
	net.inet6.udp6.pcblist
	net.inet6.raw6.pcblist

which allow retrieval of the pcbs in use for those protocols.  The
struct involved is 32/64 bit clean and incorporates parts of struct
inpcb, struct unpcb, a bit of struct tcpcb, and two socket addresses.
2005-03-09 05:07:19 +00:00
atatat 76a9013c25 gc the tcp_sysctl() prototype since it's completely vestigial 2005-03-09 04:51:56 +00:00
simonb e491fee6a5 s/quence/quench/. 2005-03-09 04:24:12 +00:00
simonb 3792275475 Add an extra `i' to notifes/notifed. 2005-03-09 04:23:33 +00:00
matt 47df382bfe Move all the hardware-assisted checksum/segment offload code together. 2005-03-09 03:39:27 +00:00
matt ea3d151322 For AF_INET, always set m->m_pkthdr.csum_data. Don't or TSOv4, just set it. 2005-03-09 03:38:33 +00:00
yamt a0f802e2ac tcp_sack_option: handle the case that the right-most sack'ed block is expanded.
a fix from Noritoshi Demizu (FreeBSD PR/78226) via Kentaro A. Kurahone.
2005-03-08 11:27:14 +00:00
yamt e55b9169d1 tcp_sack_option: fix the cases that some sack blocks go into a hole. 2005-03-07 10:27:39 +00:00
yamt ff614e1114 tcp_sack_option: fix a typo(?), which can cause to ignore valid blocks. 2005-03-07 09:40:35 +00:00
yamt ed8b840f26 tcp_sack_option: the max number of sack blocks in a packet is 4, not 3. 2005-03-07 09:32:51 +00:00
yamt e16a97f90b - unwrap short lines.
- remove unneeded parenthesis.
- whitespace.
2005-03-06 23:06:40 +00:00
yamt fd5005e8d7 don't assume alignment of sack options. 2005-03-06 23:05:56 +00:00
yamt 1152380a6b wrap long lines. 2005-03-06 23:05:20 +00:00
yamt 2dc19239d5 update SYSCTL_DESCR; sack is implemented. 2005-03-06 10:15:30 +00:00
thorpej 1f89264732 Add a /*CONSTCOND*/ to last. 2005-03-06 03:41:36 +00:00
matt c24b749deb Fix typo. Opposite of >= is <, not ==. 2005-03-06 00:52:25 +00:00
matt 9337b701be Replace some gotos with a do while (0) and breaks. No functional change. 2005-03-06 00:48:52 +00:00
matt 8e04817c50 Add IPv4/TCP hooks for TCP Segment Offload on transmit. 2005-03-06 00:35:07 +00:00
briggs 6fe1c07527 Fix checksum offload for fragmented packets. From John Heasley
on gnats-bugs in PR kern/29544.
Tested with an NFS client using default rwsize on an NFS server
with wm(4) interface configured IP4CSUM,TCP4CSUM,UDP4CSUM.
Prior revision required the server to have checksum offload disabled.
2005-03-05 02:46:38 +00:00
mycroft 5640dcbb4a Re-add callout_active(), in a way compatible with the FreeBSD version, and use
it in the TCP stack to test which of the REXMT or PERSIST timer is in use.
This fixes a race condition that could cause "panic: tcp_output REXMT".  See
tech-net for details.
2005-03-04 05:51:41 +00:00
mycroft c9f058f65e Copyright maintenance. 2005-03-02 10:20:18 +00:00
jonathan 4ae1f36dc9 Commit TCP SACK patches from Kentaro A. Karahone's patch at:
http://www.sigusr1.org/~kurahone/tcp-sack-netbsd-02152005.diff.gz

Fixes in that patch for pre-existing TCP pcb initializations were already
committed to NetBSD-current, so are not included in this commit.

The SACK patch has been observed to correctly negotiate and respond,
to SACKs in wide-area traffic.

There are two indepenently-observed, as-yet-unresolved anomalies:
First, seeing unexplained delays between in fast retransmission
(potentially explainable by an 0.2sec RTT between adjacent
ethernet/wifi NICs); and second, peculiar and unepxlained TCP
retransmits observed over an ath0 card.

After discussion with several interested developers, I'm committing
this now, as-is, for more eyes to use and look over.  Current hypothesis
is that the anomalies above may in fact be due to link/level (hardware,
driver, HAL, firmware) abberations in the test setup, affecting  both
Kentaro's  wired-Ethernet NIC and in my two (different) WiFi NICs.
2005-02-28 16:20:59 +00:00
perry f07677dd81 nuke trailing whitespace 2005-02-26 22:45:09 +00:00
peter 1c9b56c830 Add MKIPFILTER; if set to no, don't build and install the ipf(4) programs,
headers and LKM.

Add MKPF; if set to no, don't build and install the pf(4) programs,
headers, LKM and spamd.

Both options default to yes, so nothing changed in the default build.

Reviewed by lukem.
2005-02-22 14:39:58 +00:00
heas 0f8efdd552 My last change for pseudo-header checksums was flawed. The pseudo-header
checksum is always in the L4 header by the time we get to this point.  It
was occasionally not there due to a bug in tcp_respond, which has since
been fixed.
So, instead just stash the length of the L3 header in the high 16 bits of
csum_data.
2005-02-18 00:52:56 +00:00
briggs da725d663a Initialize snd_high as part of tcp_sendseqinit().
From Kentaro A. Kurahone.
2005-02-16 15:00:47 +00:00
briggs a825f3e77c Initialize t_partialacks in the tcpcb template.
From Kentaro A. Kurahone.
2005-02-16 14:59:40 +00:00
heas 2d4ced7c82 For controllers (eg: hme & gem) that can only perform linear hardware checksums
(from an offset to the end of the packet), the pseudo-header checksum must be
calculated by software.  So, provide it in the TCP/UDP header when
M_CSUM_NO_PSEUDOHDR is set in the interface's if_csum_flags_tx.

The start offset, the end of the IP header, is also provided in the high 16
bits of pkthdr.csum_data.  Such that the driver need not examine the packet
at all.

XXX At the request of Jonathan Stone, note that sharing of if_csum_flags_tx &
    pkthdr.csum_flags for checksum quirks should be re-evaluated.
2005-02-12 23:25:29 +00:00
manu 5c217c1a67 Add support for IPsec Network Address Translator traversal (NAT-T), as
described by RFC 3947 and 3948.
2005-02-12 12:31:07 +00:00
heas 52b0cd6b47 ntohs->htons for ip6 plen (payload length).
It is not technically necessary to set plen here, since ip6_output() starts
off by calculating it, but leaving it keeps it consistent with other code.
2005-02-12 01:24:07 +00:00
pk 237a0c2d85 Update tcp_trace() prototype to match implementation. 2005-02-06 20:13:09 +00:00
perry b02c92c5bf ANSIfy function declarations 2005-02-03 23:50:33 +00:00
perry 870f206724 ANSIfy function declarations 2005-02-03 23:39:32 +00:00
perry dcf288607c ANSIfy function declarations 2005-02-03 23:25:22 +00:00
perry d5c8fcf31c ANSIfy function declarations 2005-02-03 23:13:20 +00:00
perry 71ef63c98f ANSIify function declarations 2005-02-03 23:08:43 +00:00
perry 402f8626b1 ANSIfy function declarations 2005-02-03 22:51:50 +00:00
perry 90789ef318 some ANSIfying, and remove an unsightly tab 2005-02-03 22:45:28 +00:00
perry babe6a957c KNF + slightly ANSIfy 2005-02-03 22:43:34 +00:00
perry 51ad03a950 ANSIfy function prototypes. (Still have about 3/5ths of the C files in
netinet to go...)
2005-02-03 03:49:01 +00:00
perry 3494482345 de-__P -- will ANSIfy .c files later. 2005-02-02 21:41:55 +00:00
perry 695648ddc8 de-__P, do some ANSIfication. 2005-02-02 21:41:01 +00:00
he 1c9ef2aa0a Fix "unused local variable" warning/error if compiling without
bridge support by making variable declaration conditional.  Found
while compiling for shark.
2005-02-01 12:56:30 +00:00
kim c9f56c04dc Add RFC 3378 EtherIP support, ported from OpenBSD to NetBSD by
Hans Rosenfeld (rosenfeld at grumpf.hope-2000.org)

This change makes it possible to add gif interfaces to bridges, which
will then send and receive IP protocol 97 packets. Packets are Ethernet
frames with an EtherIP header prepended.
2005-01-31 23:49:36 +00:00
mycroft 47759e6333 Several changes based on comparison with NS:
1) dupseg_fix_=true from NS: do not count a segment with completely duplicate
data as a duplicate ack.  This can occur due to duplicate packets in the
network, or due to fast retransmit from the other side.

2) dupack_reset_=false from NS: do not reset the duplicate ack counter or exit
fast recovery if we happen to get data or a window update along with a
duplicate ack.

3) In the "very old ack" case that itojun added, send an ACK before dropping
the segment, to try to update the other side's send sequence number.

4) Check the ssthresh crossover point with >= rather than >.  Otherwise we
start to do "exponential" growth immediately following recovery, where we
should be doing "linear".  This is what NS does.
2005-01-28 00:18:22 +00:00