Commit Graph

1331 Commits

Author SHA1 Message Date
wiz e8f4f5ba76 No need to include netinet/ip_mroute.h twice.
Closes PR 24652 by Kailash Sethuraman.
2004-03-04 15:15:06 +00:00
thorpej 8387ab32c5 Use IPSEC_PCB_SKIP_IPSEC() to short-circuit calls to ipsec{4,6}_hdrsiz_tcp(). 2004-03-03 05:59:38 +00:00
thorpej 2803ff0955 Use the new IPSEC_PCB_SKIP_IPSEC() to bypass a socket policy lookup
when possible.  This shaves several cycles from the output path for
non-IPsec connections, even if the policy is cached in the PCB.
2004-03-02 02:28:28 +00:00
thorpej 00f100daae Call ipsec_pcbconn() and ipsec_pcbdisconn() for FAST_IPSEC, too. 2004-03-02 02:26:28 +00:00
thorpej 979f197a86 Define a sotoinpcb_hdr() macro (a'la sotoinpcb()). 2004-03-02 02:11:14 +00:00
itojun 8ef33296ff KNF 2004-02-26 02:34:59 +00:00
wiz 73e1501b98 parameter with two es. From Peter Postma. 2004-02-24 15:22:01 +00:00
wiz f05e6f1a3a occured -> occurred. From Peter Postma. 2004-02-24 15:12:51 +00:00
itojun d334411bcd deal with IPv6 path MTU < 1280 (RFC2460 section 5 last paragraph).
check if there really is room for TCP data.
2004-02-04 05:36:03 +00:00
abs c02c2d8844 Allow DEF_NAT_AGE to be set in kernel config. 2004-01-16 09:01:22 +00:00
itojun 0146a277ba correct typo in 1.94 -> 1.95. pointed out by Shiva Shenoy 2004-01-15 05:13:17 +00:00
itojun 3ffdb9507a avoid deref-after-free.
http://sources.zabbadoz.net/freebsd/patchset/106-ipsec-pcb-discon.diff
2004-01-13 06:17:14 +00:00
matt 9196bdd1f8 When accepting a peer's MSS, never let it drop below 256 (SLIP + TCP will
be the lowest MSS we should ever enounter).
2004-01-07 19:15:43 +00:00
tron 784a553ad1 Remove extra tokens at end of #undef directive. 2004-01-03 22:34:38 +00:00
itojun 4fc59b19d5 no need for tmp = arc4randomid here 2004-01-02 20:51:51 +00:00
itojun 7cddb2827b whitespace 2004-01-02 15:51:45 +00:00
itojun 344b08b44b some corrections from markus@openbsd;
- callout_ack() was called with wrong argument
2004-01-02 15:51:04 +00:00
itojun 5377ace199 some corrections from markus@openbsd;
- callout_ack() was called with wrong argument
- no need for xor with timestamp as we are using arc4random()
- minor typo/cleanup
2004-01-02 12:01:39 +00:00
wiz d46bc94200 Niels Provos kindly agreed to drop clauses 3 and 4 from the
license -- thanks.
Based on OpenBSD commit and hints by itojun.
2003-12-26 19:04:55 +00:00
abs 8724ebf7f9 Comment out #undef LARGE_NAT so LARGE_NAT can be set in a kernel config file
without having to edit this file as well.
2003-12-16 12:15:04 +00:00
thorpej 0c4c58a70b Fix syntax errors in CHECK_NMBCLUSTER_PARAMS(). 2003-12-14 01:14:24 +00:00
jonathan 9c1a5c5570 Second part of hashed IP_reassembly changes:
When under pressure for mbufs or we have too many fragments in the IP
reassembly queue, drop half of all fragments. This multiplicative-drop
strategy ensures we return to a healthy state, even under borderline
denial-of-service from extremely lossy NFS-over-UDP peers.
The multiplicative-drop phase currently drops 50% of fragments, but
has pre-placed support for implementing drop-fractions other than 50%

The threshhold for the `drop-half' phase is the new variable,
ip_maxfrags which is calculated as nmbclusters/4.

ip_input.c now keeps ip_nmbclusters, a cached copy of nmbclusters.
Before using limits derived from nmbclusters, we check if nmbclusters
and ip_nmclusters are equal. If not, we recompute Ip parameters
derived from nmbclusters.  Based on a suggestion by Jason Thorpe.
ip_maxfrags is currently auto-recalcuated.

The counters ip_nfrags and ip_nfragpacketsr are now declared static
and uninitialized (bss), to discourage tampering with them.
2003-12-14 00:09:24 +00:00
scw 6aec1d6812 Make fast-ipsec and ipflow (Fast Forwarding) interoperate.
The idea is that we only clear M_CANFASTFWD if an SPD exists
for the packet. Otherwise, it's safe to add a fast-forward
cache entry for the route.

To make this work properly, we invalidate the entire ipflow
cache if a fast-ipsec key is added or changed.
2003-12-12 21:17:59 +00:00
itojun aa8a6718f0 use if_indexlim (instead of if_index) and ifindex2ifnet[x] != NULL
to check if interface exists, as (1) if_index has different meaning
(2) ifindex2ifnet could become NULL when interface gets destroyed,
since when we have introduced dynamically-created interfaces.  from kame
2003-12-10 11:46:33 +00:00
itojun c81f32fe6c comment from niels provos;
- seed2 is necessary, but use it as "seed2 + x" not "seed2 ^ x".
- skipping number is not needed, so disable it for 16bit generator (makes
  the repetition period to 30000)
2003-12-10 05:22:18 +00:00
jonathan 626b230d59 Add new field ipq_nfrags to struct ipq. Maintain count of fragments
(fragments, not fragmented packets) in each queue entry.
Use ipq_nfrags to maintain a count of total fragments in reassembly queue.
2003-12-08 02:23:27 +00:00
jonathan 27171efb6d KNF: s/unsigned/u_int/, in a couple of places I missed. 2003-12-07 01:18:26 +00:00
jonathan c56097abb8 Replace the single global IP reassembly list/listhead, with a
hashtable of list-heads. Independently re-invented, then reworked to
match similar code in FreeBSD.
2003-12-06 23:56:10 +00:00
atatat 13f8d2ce5f Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al.  Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.

Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded.  Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.

All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.

PS - I'm sorry, but there's a distinct lack of documentation at the
moment.  I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 19:38:21 +00:00
christos 0aac876eae fix unused variable warnings when LARGE_NAT is defined. 2003-12-04 15:32:01 +00:00
scw 7ef39665ff ipflow (IP fast forwarding) is not compatible with FAST_IPSEC either.
XXX: The decision whether or not to fast forward should be made
XXX: dynamically. Using the current approach seriously reduces
XXX: routing performance on gateways with IPsec enabled.
2003-12-04 10:02:35 +00:00
itojun a748550c99 always compile ip_id.c 2003-11-26 21:26:56 +00:00
itojun 326cfe57d2 define RANDOM_IP_ID by default (unifdef -DRANDOM_IP_ID).
one use remains in sys/netipsec, which is kept for freebsd source code compat.
2003-11-26 21:15:47 +00:00
itojun 0864b4939d "seed2" was ruining non-repeating property, so remove it. discussed on tech-net 2003-11-25 18:13:55 +00:00
itojun f51095cf7c knf 2003-11-25 14:44:13 +00:00
scw fd11abcb03 For FAST_IPSEC, ipfilter gets to see wire-format IPsec-encapsulated packets
only. Decapsulated packets bypass ipfilter. This mimics current behaviour
for Kame IPsec.
2003-11-24 20:54:59 +00:00
yamt bba8d5af45 comments on tcp_outflags. 2003-11-20 16:21:48 +00:00
fvdl f2fdecfc92 Correct number of arguments to sysctl_rdint. 2003-11-19 22:40:55 +00:00
jonathan b6e73d53fb Footwork for fast-ipsec and IPv6: when compiling sys/netinet/tcp_input.c
for both FAST_IPSEC and INET6, include <netipsec/ipsec6.h>.
2003-11-19 20:47:00 +00:00
jonathan 130f3bfc26 Patch back support for (badly) randomized IP ids, by request:
* Include "opt_inet.h" everywhere IP-ids are generated with ip_newid(),
  so the RANDOM_IP_ID option is visible. Also in ip_id(), to ensure
  the prototype for ip_randomid() is made visible.

* Add new sysctl to enable randomized IP-ids, provided the kernel was
  configured with RANDOM_IP_ID. (The sysctl defaults to zero, and is
  a read-only zero if RANDOM_IP_ID is not configured).

Note that the implementation of randomized IP ids is still defective,
and should not be enabled at all (even if configured) without
very careful deliberation. Caveat emptor.
2003-11-19 18:39:34 +00:00
jonathan de80d1419e Diff to netinet/ip_input.c (restore ip_id, initialize) for ip_id fix:
Revert the (default) ip_id algorithm to the pre-randomid algorithm,
due to demonstrated low-period repeated IDs from the randomized IP_id
code.  Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.

Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be  provided.

This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
2003-11-17 22:34:16 +00:00
jonathan 995c532c33 Revert the (default) ip_id algorithm to the pre-randomid algorithm,
due to demonstrated low-period repeated IDs from the randomized IP_id
code.  Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.

Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be  provided.

This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
2003-11-17 21:34:27 +00:00
jonathan fa24e6f3f8 Add m_tag_delete_nonpesrsistent(), for deleting all packet tags on
mbuf chains which are recycled (e.g., ICMP reflection, loopback
interface).  A consensus was reached that such recycled packets should
behave (more-or-less) the same way if a new chain had been allocated
and the contents copied to that chain.

Some packet tags may in future be marked as "persistent" (e.g., for
mandatory access controls) and should persist across such deletion.
NetBSD as yet hos no persistent tags, so m_tag_delete_nonpersistent()
just deletes all tags. This should not be relied upon.
2003-11-13 01:48:12 +00:00
itojun d46ad3421a KNF 2003-11-12 15:00:05 +00:00
ragge 4a9b211e76 Remove the FAST_MBSEARCH ifdef, send packet prediction is now default. 2003-11-12 10:48:04 +00:00
jonathan 79bf8521a5 Change global head-of-local-IP-address list from in_ifaddr to
in_ifaddrhead. Recent changes in struct names caused a namespace
collision in fast-ipsec, which are most cleanly fixed by using
"in_ifaddrhead" as the listhead name.
2003-11-11 20:25:26 +00:00
jonathan b86d07f435 Allocate sysctl oid for ipv4 sysctl node "ifq", define symbolic name, and
bump IPCTL_MAXID. (Should have been committed with other ifq sysctl changes).
2003-11-10 20:50:29 +00:00
jonathan 88ba77e705 Make per-protocol network input queue stats visible to userland via
sysctl. Add a protocol-independent sysctl handler to show the per-protocol
"struct ifq' statistics. Add IP(v4) specific call to the handler.
Other protocols can show their per-protocol input statistics by
allocating a sysclt node and calling sysctl_ifq() with their own struct ifq *.

As posted to tech-kern plus improvements/cleanup suggested by Andrew Brown.
2003-11-10 20:03:29 +00:00
simonb a2facef339 Remove some assigned-to but otherwise unused variables. 2003-10-30 01:43:08 +00:00
mycroft d7f0f6de8f Do the previous differently. 2003-10-28 20:27:22 +00:00
provos 57755c156a use a hash table to bind to local ports; suggested by markus friedl
approved: fvdl@
2003-10-28 17:18:37 +00:00
thorpej db71356cd1 - Change callout_setfunc() to require that the callout handle is already
initialized.  Update the txp(4) to compensate.
- Statically initialize the TCP timer callout handles in the tcpcb
  template.  We still use callout_setfunc(), but that call is now much
  less expensive.  Add a comment that the compiler is likely to unroll
  the loop (so don't sweat that it's there).
2003-10-27 16:52:01 +00:00
itojun 3fef2ba893 make it compilable with TCP_DEBUG defined 2003-10-27 07:43:01 +00:00
christos 2017bf9a94 Fix uninitialized variable warning 2003-10-25 18:31:59 +00:00
christos 649137925e initialize off 2003-10-25 08:13:28 +00:00
ragge da20a11a23 Fix the bug in the tcp transmit prediction code.
During testing the prediction counters show a hit-rate on about 85% for
packets sent on a local LAN, and better than 99% for intercontinental
high-speed bulk traffic (!).
2003-10-24 10:25:40 +00:00
enami 935b3c7ad5 Make this file compile again when TCP_OUTPUT_COUNTERS defined. 2003-10-24 03:12:53 +00:00
mycroft 5a8b331f54 Remove all the code to maintain ia_inpcbs. This information was only used to
close sockets on address changes, which was deemed to be a bad idea and was
summarily removed, so there is no point in wasting effort on maintaining it
any more.
2003-10-23 20:55:08 +00:00
thorpej e8a98ee63e Oops, FAST_MBSEARCH counters were swapped; fix it. Pointed out by yamt@. 2003-10-23 17:02:23 +00:00
thorpej 9e4220c00a Oops, a little to aggressive in the previous patch; TCP_TIMER_INIT()
still needs to be in tcp_newtcpcb(), for now.  Pointed out by enami.
2003-10-22 05:55:54 +00:00
thorpej 31923baa46 Rather than zeroing a tcpcb structure and filling in all the fields
individually, create a tcpcb template pre-initialized (and pre-zero'd)
with the static and mostly-static tcpcb parameters.  The template is
now copied into the new tcpcb, which zeros and initializes most of the
tcpcb in one pass.  The template is kept up-to-date as TCP sysctl
variables are changed.

Combined with the previous sb_max change, TCP socket creation is now
25% faster.
2003-10-22 02:45:57 +00:00
thorpej 861856caa0 Add event counters that measure FAST_MBSEARCH. 2003-10-21 21:17:20 +00:00
enami e51f5c64e5 Fix indent. 2003-10-18 13:05:45 +00:00
enami bae9643b84 Increment stats when packet is dropped since there is no room
to put all fragments in the interfaces's send queue.  Some large
UDP packets are dropped here and administrator may want to bump ifqmaxlen.
2003-10-17 20:31:12 +00:00
itojun 5e7b0c710b more correction to ip_fragment; free mbuf correctly if ENOBUFS is raised
during fragmenting.
2003-10-14 06:36:48 +00:00
itojun 00af50df1b avoid mbuf leak on ip_fragment(); obey 4.4bsd mbuf passing rule (mbuf passed
to a function must be freed by the called function on error).
pointed out by enami
2003-10-14 03:38:49 +00:00
mycroft f2fc15d4b5 There is also no reason to use arc4random() here. 2003-10-07 21:24:56 +00:00
itojun 98d5598feb when dropping M_PKTHDR, need to free m_tag associated with it. 2003-10-03 20:56:11 +00:00
itojun 899b67c09a correct ip_fragment() wrt ip->ip_off handling.
do not send out incomplete fragment due to ENOBUFS (behavior change from 4.4BSD)
2003-10-01 23:54:40 +00:00
tls b911732f2a Increase default socket-buffer sizes from 16K to 32K. This increases
throughput significantly in a wide variety of test cases, including
local gigabit ethernet with both jumbo and standard frames,
transcontinental (U.S.) connections with e2e bandwidths ranging from
10Mbit/sec to 155Mbit/sec, and on a variety of test connections
between the NetBSD Project public servers and machines in Australia.

The impact of this change is less dramatic for high-delay connections
when Path MTU is in use but still measurable.

For optimal performance on local gigabit networks, a higher socket
buffer size (at least 64K) will still yield a substantial improvement
in performance, but 32K gets us most of the way there in my test
cases, with only a cost of _doubling_ memory use per socket rather
than _quadrupling_ it.

N.B. Windows NT, at least since Win2k SP2, uses a default socket buffer
     size (or their analogue thereof) of 64K, which is a useful data
     point.
2003-09-29 21:39:35 +00:00
mycroft ca96c7c4ec Remove some code that breaks AH tunnels completely. The comment describing
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.

NB: This does not fix the fact that IPsec leaks "packet tags."
2003-09-28 04:45:14 +00:00
mycroft 3114965161 Fix glaring errors in recent changes. 2003-09-25 00:59:31 +00:00
itojun 8d9a724638 on arplookup() failure, nuke cloned route - otherwise outsider could use massive
number of bogus ARPs for DoS attack.  FreeBSD-SA-03:14.arp
2003-09-24 06:52:47 +00:00
jonathan 5923dedaeb Fast-ipsec can call ip_output() with a null 'struct socket *so'
argument.  So check so is non-NULL before doing the pointer-chasing
dance to find the PCB. (Unless and until we rework fast-ipsec and
KAME, to pass a struct in_pcbhdr * instead of the struct socket *).
2003-09-19 00:27:56 +00:00
itojun a3931fc5ab exp is reserved name under posix 2003-09-16 00:31:55 +00:00
itojun 6b33d95e22 send icmp admin prohibit if socket policy mismatches. 2003-09-12 09:55:22 +00:00
itojun 644a4857fb cut-and-paste error. Valeriy E. Ushakov 2003-09-10 01:46:27 +00:00
itojun 99bc41d6fd if IPsec inbound policy mismatches, respond to SYN with RST (instead of
just dropping it), allow client to react quickly.
2003-09-10 00:58:29 +00:00
itojun 495bd5ff91 initialize ip_hl for ipsec policy lookup. PR kern/22715 2003-09-08 02:06:34 +00:00
itojun 32e3deae21 randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability
of these fields.  ip_id.c is from openbsd.  ip6_id.c is adapted by kame.
2003-09-06 03:36:30 +00:00
itojun 175c9afa3f clarify flowlabel handling 2003-09-06 03:12:51 +00:00
itojun dd45bfac41 backout previous, we don't know if arc4random() corrides on reboot. 2003-09-06 00:24:54 +00:00
itojun 9636351c96 u_short -> u_int16_t 2003-09-05 23:02:40 +00:00
itojun 186bd1ad6a initialize fragment ID with arc4random, not by time.tv_sec 2003-09-05 22:09:38 +00:00
itojun 495906ca8e revamp inpcb/in6pcb so that they are more aligned with each other.
in6pcb lookup now uses hash(9).
2003-09-04 09:16:57 +00:00
itojun 5c39f4aaa7 don't intiialize m by m0, m0 is not initialized (by introduction of ip_fragment) 2003-08-27 02:09:59 +00:00
itojun 3e76200c67 need sys/domain.h for FAST_IPSEC case; jonathan 2003-08-23 01:41:10 +00:00
itojun a3bad645a4 make sure so is properly initialized 2003-08-22 22:49:34 +00:00
itojun 58f57a60fd tp could be null in tcp_respond() 2003-08-22 22:27:07 +00:00
itojun 4e6aca94c2 correct missing inclusion of opt_ipsec.h 2003-08-22 22:11:44 +00:00
itojun 11ede1ed88 remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output. 2003-08-22 22:00:36 +00:00
itojun 82eb4ce914 change the additional arg to be passed to ip{,6}_output to struct socket *.
this fixes KAME policy lookup which was broken by the previous commit.
2003-08-22 21:53:01 +00:00
jonathan 9339ef0381 Change KAME code for ip_output()/ip6_output() to obtain struct socket*
from the explicit inpcb*/in6pcb* argument.  set_socket() becomes redundant.
2003-08-22 20:29:00 +00:00
jonathan 902669955f Replace the set_socket() method of passing an extra struct socket*
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
2003-08-22 20:20:09 +00:00
jonathan 6196bbe72d Honour the M_CSUM_NO_PSEUDOHDR, if set on inbound TCP and UDP packets.
Tested against  bcm5700 with patched if_bge.c.
2003-08-21 14:49:49 +00:00
itojun b83dd2f98b remove unneeded #ifdef __NetBSD__ 2003-08-19 08:00:54 +00:00
itojun ade8129bdc make ip_fragment public (it is for coming PF integration) 2003-08-19 01:20:03 +00:00
christos ae572737ba make ip_fragment static and add prototype. 2003-08-19 00:54:41 +00:00
itojun 4f8ba921cd correct ip_multicast_if fix to always set ifp (tnx Shiva) 2003-08-19 00:17:38 +00:00
itojun 449b5c43d4 since we cope with packets with addess on !IFF_UP interface in ip_input()
properly, IFF_UP check in INADDR_TO_IA is obsolete (or too much).
2003-08-18 22:28:51 +00:00