Commit Graph

2070 Commits

Author SHA1 Message Date
rmind
2e6f2099c6 Import NPF - a packet filter. Some features:
- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
  Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
  supporting generic RISC-like and specific CISC-like instructions for
  common patterns (e.g. IPv4 address matching).  See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
2010-08-22 18:56:18 +00:00
pgoyette
23d5409e7e Update the rest of the kernel to conform to the module subsystem's new
locking protocol.
2010-08-21 13:19:39 +00:00
pgoyette
5ef3a6df9b Keep condvar wmesg within 8 char limit 2010-08-11 11:47:29 +00:00
kefren
d4ccc143a1 we need to set rt_ifp even if ifa is the same. Fixes the case when one
changes route to a different ifp but wants to keep the same ifa
2010-06-28 17:26:11 +00:00
kefren
00914d6d55 Don't assume that rt_tag family is AF_MPLS but verify it.
This way rt_tag can be used for other future work also, not only MPLS
2010-06-27 13:39:11 +00:00
kefren
aeb8fe1fa4 Style fix: Tab consistency with the lines around it 2010-06-27 06:48:40 +00:00
kefren
25133d6d8f Fix build for MPLS import: add options MPLS, changed pseudo-device mpls
to pseudo-device ifmpls
2010-06-26 15:17:56 +00:00
kefren
826653c190 Add MPLS support, proposed on tech-net@ a couple of days ago
Welcome to 5.99.33
2010-06-26 14:24:27 +00:00
skrll
6a978a976d Correct the argument order of ifreqn2o conversion.
Fixes PR/42585.
2010-06-12 08:12:03 +00:00
dyoung
0d73006091 Prevent if_detach() from crashing while it walks the routing table
to find and unlink routes that reference the detached ifnet: make
if_rt_walktree() return ERESTART whenever it has deleted a route.
Whenever rt_walktree() returns ERESTART, if_detach() restarts it.

I believe that this fix resembles one by Jonathan Kollasch or by someone
else, which has languished in a PR for too long.  Sorry!

Tested by me and by Jeff Rizzo.

XXX It's supposed to be safe for rn_walktree() to apply to the routing
XXX table a routine that may delete routes.  Why isn't it safe in
XXX practice?
2010-06-02 23:41:14 +00:00
mjf
e0e10b0607 Add __cacheline_aligned and __read_mostly annotations.
These annotations help to mitigate false sharing on multiprocessor
systems.

Variables annotated with __cacheline_aligned are placed into the
.data.cacheline_aligned section in the kernel. Each item in this
section is aligned on a cachline boundary - this avoids false
sharing. Highly contended global locks are a good candidate for
__cacheline_aligned annotation.

Variables annotated with __read_mostly are packed together tightly
into a .data.read_mostly section in the kernel. The idea here is that
we can pack infrequently modified data items into a cacheline and
avoid having to purge the cache, which would happen if read mostly
data and write mostly data shared a cachline. Initialisation variables
are a prime candiate for __read_mostly annotations.
2010-06-01 22:13:30 +00:00
dyoung
a5a3d4c202 Change sc_wrports from an int to a bool and "test truth" instead of
comparing with 0.

Add 'volatile' to several other state variables that need it.
2010-05-26 23:46:44 +00:00
christos
e0734521a4 delint previous 2010-05-19 20:43:51 +00:00
christos
5cbb2aa881 Replace ether_nonstatic_aton with a
- better named one
- not suffering from buffer oveflow
- simpler
- handling different separators
- returning error codes for errors

Some ideas from one posted on tech-net by Jonathan A. Kollasch
2010-05-19 20:41:59 +00:00
jakllsch
fdc252ea81 Changes to ether_nonstatic_aton():
Be more leinent on input string format.  Each nibble pair may optionally be
followed by any of ':', '-', '.' or ' '.

Make source string const and work on a temporary copy.  The caller may not
expect their string to be destroyed.
2010-05-19 18:58:22 +00:00
dyoung
ffd45aaae7 Constify some ether_output() arguments so that it's clear that they
can never be re-assigned.
2010-05-05 18:12:24 +00:00
kefren
f4183d10ff Permit the existence of a route with unlinked ifp and ifa,
enabling this way the posibility to send a packet on an interface with
source address from another interface.
2010-05-02 19:17:56 +00:00
drochner
14f78ca302 the correct check for BPF_K is with BPF_SRC for BPF_ALU ops, from
Guy Harris per PR kern/43185
fixes possible division-by-zero crashes by evil filter expressions
like "len / 0 = 1"
pullup candidate
2010-04-21 16:35:09 +00:00
jmcneill
ce4300c675 COMPAT_50 support for SPPP[GS]ETIDLETO and SPPP[GS]ETKEEPALIVE, ok martin@ 2010-04-20 14:32:03 +00:00
pooka
735701ff27 Add a little comment on how bpf can be made unloadable, per pointer from ad. 2010-04-14 13:31:33 +00:00
joerg
58e867556f Push the bpf_ops usage back into bpf.h. Push the common ifp->if_bpf
check into the inline functions as well the fourth argument for
bpf_attach.
2010-04-05 07:19:28 +00:00
pgoyette
b96bf61fb6 Now that fw_port.h is gone, we need to directly include <sys/select.h>
Fixes build break reported by myself.
2010-03-31 12:17:01 +00:00
kiyohara
af09db112b Bye-bye fw_port.h. 2010-03-29 03:05:27 +00:00
christos
8bc5973709 add BIOC{G,S}FEEDBACK which allows one to receive injected outgoing packets
via bpf.
2010-03-13 20:38:48 +00:00
snj
ccaf1e96be Fight the ever-increasing size of src checkouts by spelling "useful"
without an extra l.
2010-02-28 15:52:16 +00:00
darran
6cc8d64caf Propagate the IFCAP_TSOv6 property also. 2010-02-28 07:10:40 +00:00
dyoung
9554bb1e78 Take another stab at fixing the LOCKDEBUG panic reported in PR
kern/39940 and by Martti Kuparinen on current-users@:  replace the
ioctl lock with finer-grained locking.  Lock the ports list and
wait to if_clone_destroy() until all threads are out of the softc.

Thanks to Martti Kuparinen for testing these changes.
2010-02-08 17:59:06 +00:00
joerg
3d7916e198 Explicitly include opt_gateway.h when depending on GATEWAY. 2010-02-04 21:48:11 +00:00
mbalmer
0f58fac97e fix language 2010-01-28 14:12:11 +00:00
pooka
de4f105d4a Include sys/atomic.h now that it's used but gets stealth-included
only on some archs.
2010-01-26 01:06:23 +00:00
pooka
b2bb0f38d5 Make bpf dynamically loadable. 2010-01-25 22:18:17 +00:00
dyoung
53aaf4795c Spelling fix: correspoding -> corresponding. 2010-01-21 20:51:31 +00:00
pooka
64cb662564 fix pasto in previous 2010-01-19 23:11:10 +00:00
pooka
21958f98cc slap dis wit summah dat RCSId 2010-01-19 22:33:35 +00:00
pooka
b014350f7f Redefine bpf linkage through an always present op vector, i.e.
#if NBPFILTER is no longer required in the client.  This change
doesn't yet add support for loading bpf as a module, since drivers
can register before bpf is attached.  However, callers of bpf can
now be modularized.

Dynamically loadable bpf could probably be done fairly easily with
coordination from the stub driver and the real driver by registering
attachments in the stub before the real driver is loaded and doing
a handoff.  ... and I'm not going to ponder the depths of unload
here.

Tested with i386/MONOLITHIC, modified MONOLITHIC without bpf and rump.
2010-01-19 22:08:16 +00:00
pooka
10fe49d72c Redefine bpf linkage through an always present op vector, i.e.
#if NBPFILTER is no longer required in the client.  This change
doesn't yet add support for loading bpf as a module, since drivers
can register before bpf is attached.  However, callers of bpf can
now be modularized.

Dynamically loadable bpf could probably be done fairly easily with
coordination from the stub driver and the real driver by registering
attachments in the stub before the real driver is loaded and doing
a handoff.  ... and I'm not going to ponder the depths of unload
here.

Tested with i386/MONOLITHIC, modified MONOLITHIC without bpf and rump.
2010-01-19 22:06:18 +00:00
pooka
64da563d90 Forward declare struct bpf_if and use that as the type for bpf_if
instead of "void *".  Buys us oo times the type-safety for 0 times
the price.
(no functional change)
2010-01-17 19:45:06 +00:00
pooka
ec8068f5fb * remove just-for-kicks locking
* KNF
* remove outdated comment (quite a funny one to read in 2010, though)
2010-01-15 22:16:46 +00:00
dsl
2a54322c7b If a multithreaded app closes an fd while another thread is blocked in
read/write/accept, then the expectation is that the blocked thread will
exit and the close complete.
Since only one fd is affected, but many fd can refer to the same file,
the close code can only request the fs code unblock with ERESTART.
Fixed for pipes and sockets, ERESTART will only be generated after such
a close - so there should be no change for other programs.
Also rename fo_abort() to fo_restart() (this used to be fo_drain()).
Fixes PR/26567
2009-12-20 09:36:05 +00:00
dsl
7a42c833db Rename fo_drain() to fo_abort(), 'drain' is used to mean 'wait for output
do drain' in many places, whereas fo_drain() was called in order to force
blocking read()/write() etc calls to return to userspace so that a close()
call from a different thread can complete.
In the sockets code comment out the broken code in the inner function,
it was being called from compat code.
2009-12-09 21:32:58 +00:00
dyoung
a439206784 KNF. 2009-12-09 00:44:26 +00:00
plunky
7f5b5a7b01 fix a potential leak on tap device close, purging the send queue
did not actually release the dequeued mbufs.

pointed out by Paul Forgey on tech-net
2009-11-29 10:44:23 +00:00
mbalmer
7404b55630 Fix function name that was changed by mistake in the previous whitespace
commit.
2009-11-28 09:20:37 +00:00
isaki
d591783aff white space -> tab. 2009-11-28 02:58:21 +00:00
rmind
dbd9b86792 Remove some unecessary includes sys/user.h header. 2009-11-23 02:13:44 +00:00
christos
dd8534acfe ar_tha() can return NULL; treat this as an error. 2009-11-20 02:14:56 +00:00
joerg
a5fad62a18 Simplify ifreq_setaddr:
- Drop the INET6 block. The commands are never given to this function
  and truncating the sockaddr is arguably not the desired result anyway.
- Clear the address before copying. This fixes SIOCGIFNETMASK and possible
  other ioctls for users that don't check sa_len. This includes
  COMPAT_43 and Linux emulation.

OK dyoung@
2009-11-13 23:11:08 +00:00
christos
314b0d9f8c PR/42285: PR/41559: Daniel Hagerty: if_stf doesn't count output bytes 2009-11-08 18:44:45 +00:00
dyoung
fa8b0147c6 s/u_quad_t/uint64_t/. 2009-11-03 00:30:31 +00:00
dyoung
bb960ead7a s/u_quad_t/uint64_t/ 2009-11-03 00:30:11 +00:00