* always acquire the device instance lock at splnet()
* missing unlocks in various places
Also, since this driver allows its device instances manipulated by two
independent subsystems (character device & interface clone create/destroy),
be careful not to rip away instance data in a clone destroy request if the
instance is still opened as a character device.
(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.
This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).
NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.
In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:
sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15
Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.
to pool_init. Untouched pools are ones that either in arch-specific
code, or aren't initialiased during initial system startup.
Convert struct session, ucred and lockf to pools.
particule device. In doing this, make a new the bpf_stat structure with
members that are u_long rather than u_int, matching the counters in the bpf_d.
the original bpf_stat is now bpf_stat_old and so to the original ioctl
is preserved as BIOCGSTATSOLD.
not a read operation should be allowed to sleep. This allows the use of
bd_rtout with a value of "-1" to be eliminated (signed comparison and
assignment to an unsigned long.)
* in 1.91, a change was introduced that had bpfpoll() returning POLLRDNORM
set when the timeout expired. This impacted poorly on performance as well
as causing select to return an fd available for reading when it wasn't.
Change the behaviour here to only allow the possibility of POLLIN being
returned as active in the event of a timeout.
Fix the behaviour of BIOCIMMEDIATE (fix from LBL BPF code via FreeBSD.)
In bpf_mtap(), optimise the calling of bpf_filter() and catchpacket()
based on whether or not the entire packet is in one mbuf (based on
similar change FreeBSD but fixes BIOC*SEESENT issue with that.)
Copy the implementation of BIOCSSEESENT, BIOCGSEESENT by FreeBSD.
Review Assistance: Guy Harris
PRs: kern/8674, kern/12170
Increase the default bpf buffer size used by naive apps that don't do
BIOCSBLEN, from 8k to 32k. The former value of 8192 is too small to
hold a normal jumbo Ethernet frame (circa 9k), 16k is a little small
for Large-jumbo (~16k) frames supported by newer gigabit
Ethernet/10Gbe, so (somewhat arbitrarily) increase the default to 32k.
Increase the upper limit to which BIOSBLEN can raise bpf buffer-size
drastically, to 1 Mbyte. State-of-the-art for packet capture circa
1999 was around 256k; savvy NetBSD developers now use 1 Mbyte.
Note that libpcap has been updated to do binary-search on BIOCSBLEN
values up to 1 Mbyte.
Work is in progress to make both values sysctl'able. Source comments
note that consensus on tech-net is that we should find some heuristic
to set the boot-time default values dynamically, based on system memory.
to check if interface exists, as (1) if_index has different meaning
(2) ifindex2ifnet could become NULL when interface gets destroyed,
since when we have introduced dynamically-created interfaces. from kame
the tag before forwarding the packet, make sure the packet+tag is at least
68 bytes long.
This is necessary because our parent will only pad to 64 bytes (ETHER_MIN_LEN)
and some switches will not pad by themselves after deleting a tag.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
mbuf chains which are recycled (e.g., ICMP reflection, loopback
interface). A consensus was reached that such recycled packets should
behave (more-or-less) the same way if a new chain had been allocated
and the contents copied to that chain.
Some packet tags may in future be marked as "persistent" (e.g., for
mandatory access controls) and should persist across such deletion.
NetBSD as yet hos no persistent tags, so m_tag_delete_nonpersistent()
just deletes all tags. This should not be relied upon.
The code was assuming that interface addresses are removed one-by-one.
With IPv6 and multicasts, removal of one address can remove other
addresses as side effect, which caused accesses of free()d memory.
sysctl. Add a protocol-independent sysctl handler to show the per-protocol
"struct ifq' statistics. Add IP(v4) specific call to the handler.
Other protocols can show their per-protocol input statistics by
allocating a sysclt node and calling sysctl_ifq() with their own struct ifq *.
As posted to tech-kern plus improvements/cleanup suggested by Andrew Brown.
pk