diff options
60 files changed, 747 insertions, 306 deletions
diff --git a/sys/dev/cxgb/ulp/tom/cxgb_cpl_io.c b/sys/dev/cxgb/ulp/tom/cxgb_cpl_io.c index 7903288..0fe4416 100644 --- a/sys/dev/cxgb/ulp/tom/cxgb_cpl_io.c +++ b/sys/dev/cxgb/ulp/tom/cxgb_cpl_io.c @@ -154,11 +154,6 @@ static unsigned int mbuf_wrs[TX_MAX_SEGS + 1] __read_mostly; #define TCP_CLOSE 2 #define TCP_DROP 3 -extern int tcp_do_autorcvbuf; -extern int tcp_do_autosndbuf; -extern int tcp_autorcvbuf_max; -extern int tcp_autosndbuf_max; - static void t3_send_reset(struct toepcb *toep); static void send_abort_rpl(struct mbuf *m, struct toedev *tdev, int rst_status); static inline void free_atid(struct t3cdev *cdev, unsigned int tid); diff --git a/sys/net/if.c b/sys/net/if.c index eb428ff..f44262c 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -134,22 +134,21 @@ static int if_getgroupmembers(struct ifgroupreq *); extern void nd6_setmtu(struct ifnet *); #endif -int if_index = 0; -int ifqmaxlen = IFQ_MAXLEN; +#ifdef VIMAGE_GLOBALS struct ifnethead ifnet; /* depend on static init XXX */ struct ifgrouphead ifg_head; +int if_index; +static int if_indexlim; +/* Table of ifnet/cdev by index. Locked with ifnet_lock. */ +static struct ifindex_entry *ifindex_table; +static struct knlist ifklist; +#endif + +int ifqmaxlen = IFQ_MAXLEN; struct mtx ifnet_lock; static if_com_alloc_t *if_com_alloc[256]; static if_com_free_t *if_com_free[256]; -static int if_indexlim = 8; -static struct knlist ifklist; - -/* - * Table of ifnet/cdev by index. Locked with ifnet_lock. - */ -static struct ifindex_entry *ifindex_table = NULL; - static void filt_netdetach(struct knote *kn); static int filt_netdev(struct knote *kn, long hint); @@ -357,6 +356,10 @@ if_init(void *dummy __unused) { INIT_VNET_NET(curvnet); + V_if_index = 0; + V_ifindex_table = NULL; + V_if_indexlim = 8; + IFNET_LOCK_INIT(); TAILQ_INIT(&V_ifnet); TAILQ_INIT(&V_ifg_head); diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c index 0365d1b..70075f6 100644 --- a/sys/net/if_ethersubr.c +++ b/sys/net/if_ethersubr.c @@ -142,8 +142,10 @@ MALLOC_DEFINE(M_ARPCOM, "arpcom", "802.* interface internals"); int ether_ipfw_chk(struct mbuf **m0, struct ifnet *dst, struct ip_fw **rule, int shared); +#ifdef VIMAGE_GLOBALS static int ether_ipfw; #endif +#endif /* * Ethernet output routine. diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c index db8835e..57bfaab 100644 --- a/sys/net/if_gif.c +++ b/sys/net/if_gif.c @@ -94,7 +94,18 @@ */ static struct mtx gif_mtx; static MALLOC_DEFINE(M_GIF, "gif", "Generic Tunnel Interface"); + +#ifdef VIMAGE_GLOBALS static LIST_HEAD(, gif_softc) gif_softc_list; +static int max_gif_nesting; +static int parallel_tunnels; +#ifdef INET +int ip_gif_ttl; +#endif +#ifdef INET6 +int ip6_gif_hlim; +#endif +#endif void (*ng_gif_input_p)(struct ifnet *ifp, struct mbuf **mp, int af); void (*ng_gif_input_orphan_p)(struct ifnet *ifp, struct mbuf *m, int af); @@ -123,9 +134,6 @@ SYSCTL_NODE(_net_link, IFT_GIF, gif, CTLFLAG_RW, 0, */ #define MAX_GIF_NEST 1 #endif -#ifndef VIMAGE -static int max_gif_nesting = MAX_GIF_NEST; -#endif SYSCTL_V_INT(V_NET, vnet_gif, _net_link_gif, OID_AUTO, max_nesting, CTLFLAG_RW, max_gif_nesting, 0, "Max nested tunnels"); @@ -140,11 +148,6 @@ SYSCTL_V_INT(V_NET, vnet_gif, _net_inet6_ip6, IPV6CTL_GIF_HLIM, * pair of addresses. Some applications require this functionality so * we allow control over this check here. */ -#ifdef XBONEHACK -static int parallel_tunnels = 1; -#else -static int parallel_tunnels = 0; -#endif SYSCTL_V_INT(V_NET, vnet_gif, _net_link_gif, OID_AUTO, parallel_tunnels, CTLFLAG_RW, parallel_tunnels, 0, "Allow parallel tunnels?"); @@ -251,12 +254,21 @@ gifmodevent(mod, type, data) switch (type) { case MOD_LOAD: mtx_init(&gif_mtx, "gif_mtx", NULL, MTX_DEF); - LIST_INIT(&V_gif_softc_list); - if_clone_attach(&gif_cloner); + LIST_INIT(&V_gif_softc_list); + V_max_gif_nesting = MAX_GIF_NEST; +#ifdef XBONEHACK + V_parallel_tunnels = 1; +#else + V_parallel_tunnels = 0; +#endif +#ifdef INET + V_ip_gif_ttl = GIF_TTL; +#endif #ifdef INET6 V_ip6_gif_hlim = GIF_HLIM; #endif + if_clone_attach(&gif_cloner); break; case MOD_UNLOAD: diff --git a/sys/net/if_loop.c b/sys/net/if_loop.c index 09bbb55..ba49d76 100644 --- a/sys/net/if_loop.c +++ b/sys/net/if_loop.c @@ -96,7 +96,9 @@ int looutput(struct ifnet *ifp, struct mbuf *m, static int lo_clone_create(struct if_clone *, int, caddr_t); static void lo_clone_destroy(struct ifnet *); -struct ifnet *loif = NULL; /* Used externally */ +#ifdef VIMAGE_GLOBALS +struct ifnet *loif; /* Used externally */ +#endif IFC_SIMPLE_DECLARE(lo, 1); @@ -142,6 +144,7 @@ loop_modevent(module_t mod, int type, void *data) switch (type) { case MOD_LOAD: + V_loif = NULL; if_clone_attach(&lo_cloner); break; diff --git a/sys/net/raw_cb.c b/sys/net/raw_cb.c index 076d2f5..b2a04ca 100644 --- a/sys/net/raw_cb.c +++ b/sys/net/raw_cb.c @@ -57,7 +57,9 @@ */ struct mtx rawcb_mtx; +#ifdef VIMAGE_GLOBALS struct rawcb_list_head rawcb_list; +#endif SYSCTL_NODE(_net, OID_AUTO, raw, CTLFLAG_RW, 0, "Raw socket infrastructure"); diff --git a/sys/net/route.c b/sys/net/route.c index 359ac8a..de45ff8 100644 --- a/sys/net/route.c +++ b/sys/net/route.c @@ -84,6 +84,7 @@ SYSCTL_INT(_net, OID_AUTO, add_addr_allfibs, CTLFLAG_RW, &rt_add_addr_allfibs, 0, ""); TUNABLE_INT("net.add_addr_allfibs", &rt_add_addr_allfibs); +#ifdef VIMAGE_GLOBALS static struct rtstat rtstat; /* by default only the first 'row' of tables will be accessed. */ @@ -96,6 +97,7 @@ static struct rtstat rtstat; struct radix_node_head *rt_tables[RT_MAXFIBS][AF_MAX+1]; static int rttrash; /* routes not in table but not freed */ +#endif static void rt_maskedcopy(struct sockaddr *, struct sockaddr *, struct sockaddr *); diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c index 3d1eba6..130ba0c 100644 --- a/sys/netinet/if_ether.c +++ b/sys/netinet/if_ether.c @@ -82,7 +82,12 @@ SYSCTL_DECL(_net_link_ether); SYSCTL_NODE(_net_link_ether, PF_INET, inet, CTLFLAG_RW, 0, ""); /* timer values */ -static int arpt_keep = (20*60); /* once resolved, good for 20 more minutes */ +#ifdef VIMAGE_GLOBALS +static int arpt_keep; /* once resolved, good for 20 more minutes */ +static int arp_maxtries; +static int useloopback; /* use loopback interface for local traffic */ +static int arp_proxyall; +#endif SYSCTL_INT(_net_link_ether_inet, OID_AUTO, max_age, CTLFLAG_RW, &arpt_keep, 0, "ARP entry lifetime in seconds"); @@ -99,10 +104,6 @@ struct llinfo_arp { static struct ifqueue arpintrq; -static int arp_maxtries = 5; -static int useloopback = 1; /* use loopback interface for local traffic */ -static int arp_proxyall = 0; - SYSCTL_V_INT(V_NET, vnet_inet, _net_link_ether_inet, OID_AUTO, maxtries, CTLFLAG_RW, arp_maxtries, 0, "ARP resolution attempts before returning error"); @@ -1076,6 +1077,12 @@ arp_ifinit2(struct ifnet *ifp, struct ifaddr *ifa, u_char *enaddr) static void arp_init(void) { + INIT_VNET_INET(curvnet); + + V_arpt_keep = (20*60); /* once resolved, good for 20 more minutes */ + V_arp_maxtries = 5; + V_useloopback = 1; /* use loopback interface for local traffic */ + V_arp_proxyall = 0; arpintrq.ifq_maxlen = 50; mtx_init(&arpintrq.ifq_mtx, "arp_inq", NULL, MTX_DEF); diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c index d047abe..f77434c 100644 --- a/sys/netinet/igmp.c +++ b/sys/netinet/igmp.c @@ -80,7 +80,9 @@ static MALLOC_DEFINE(M_IGMP, "igmp", "igmp state"); static struct router_info *find_rti(struct ifnet *ifp); static void igmp_sendpkt(struct in_multi *, int, unsigned long); +#ifdef VIMAGE_GLOBALS static struct igmpstat igmpstat; +#endif SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_igmp, IGMPCTL_STATS, stats, CTLFLAG_RW, igmpstat, igmpstat, ""); @@ -92,8 +94,10 @@ SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_igmp, IGMPCTL_STATS, * reference counting is used. We allow unlocked reads of router_info data * when accessed via an in_multi read-only. */ -static struct mtx igmp_mtx; +#ifdef VIMAGE_GLOBALS static SLIST_HEAD(, router_info) router_info_head; +#endif +static struct mtx igmp_mtx; static int igmp_timers_are_running; /* diff --git a/sys/netinet/in.c b/sys/netinet/in.c index 0ce7dbd..f2d7ccb 100644 --- a/sys/netinet/in.c +++ b/sys/netinet/in.c @@ -66,18 +66,20 @@ static int in_ifinit(struct ifnet *, struct in_ifaddr *, struct sockaddr_in *, int); static void in_purgemaddrs(struct ifnet *); -static int subnetsarelocal = 0; +#ifdef VIMAGE_GLOBALS +static int subnetsarelocal; +static int sameprefixcarponly; +extern struct inpcbinfo ripcbinfo; +extern struct inpcbinfo udbinfo; +#endif + SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, subnets_are_local, CTLFLAG_RW, subnetsarelocal, 0, "Treat all subnets as directly connected"); -static int sameprefixcarponly = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, same_prefix_carp_only, CTLFLAG_RW, sameprefixcarponly, 0, "Refuse to create same prefixes on different interfaces"); -extern struct inpcbinfo ripcbinfo; -extern struct inpcbinfo udbinfo; - /* * Return 1 if an internet address is for a ``local'' host * (one to which we have a connection). If subnetsarelocal diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c index 6165421..f347102 100644 --- a/sys/netinet/in_gif.c +++ b/sys/netinet/in_gif.c @@ -85,7 +85,9 @@ struct protosw in_gif_protosw = { .pr_usrreqs = &rip_usrreqs }; -static int ip_gif_ttl = GIF_TTL; +#ifdef VIMAGE_GLOBALS +extern int ip_gif_ttl; +#endif SYSCTL_V_INT(V_NET, vnet_gif, _net_inet_ip, IPCTL_GIF_TTL, gifttl, CTLFLAG_RW, ip_gif_ttl, 0, ""); diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index 65e6be8..6cf6d92 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -86,7 +86,9 @@ static MALLOC_DEFINE(M_IPMSOURCE, "in_msource", "IPv4 multicast source filter"); * ip_output() to send IGMP packets while holding the lock; this probably is * not quite desirable. */ +#ifdef VIMAGE_GLOBALS struct in_multihead in_multihead; /* XXX BSS initialization */ +#endif struct mtx in_multi_mtx; MTX_SYSINIT(in_multi_mtx, &in_multi_mtx, "in_multi_mtx", MTX_DEF | MTX_RECURSE); diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 7732133..8611bee 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -84,32 +84,34 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_framework.h> +#ifdef VIMAGE_GLOBALS /* * These configure the range of local port addresses assigned to * "unspecified" outgoing connections/packets/whatever. */ -int ipport_lowfirstauto = IPPORT_RESERVED - 1; /* 1023 */ -int ipport_lowlastauto = IPPORT_RESERVEDSTART; /* 600 */ -int ipport_firstauto = IPPORT_EPHEMERALFIRST; /* 10000 */ -int ipport_lastauto = IPPORT_EPHEMERALLAST; /* 65535 */ -int ipport_hifirstauto = IPPORT_HIFIRSTAUTO; /* 49152 */ -int ipport_hilastauto = IPPORT_HILASTAUTO; /* 65535 */ +int ipport_lowfirstauto; +int ipport_lowlastauto; +int ipport_firstauto; +int ipport_lastauto; +int ipport_hifirstauto; +int ipport_hilastauto; /* * Reserved ports accessible only to root. There are significant * security considerations that must be accounted for when changing these, * but the security benefits can be great. Please be careful. */ -int ipport_reservedhigh = IPPORT_RESERVED - 1; /* 1023 */ -int ipport_reservedlow = 0; +int ipport_reservedhigh; +int ipport_reservedlow; /* Variables dealing with random ephemeral port allocation. */ -int ipport_randomized = 1; /* user controlled via sysctl */ -int ipport_randomcps = 10; /* user controlled via sysctl */ -int ipport_randomtime = 45; /* user controlled via sysctl */ -int ipport_stoprandom = 0; /* toggled by ipport_tick */ +int ipport_randomized; +int ipport_randomcps; +int ipport_randomtime; +int ipport_stoprandom; int ipport_tcpallocs; int ipport_tcplastcount; +#endif #define RANGECHK(var, min, max) \ if ((var) < (min)) { (var) = (min); } \ diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index 9a43511..076b262 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -450,6 +450,8 @@ extern int ipport_lastauto; extern int ipport_hifirstauto; extern int ipport_hilastauto; extern int ipport_randomized; +extern int ipport_randomcps; +extern int ipport_randomtime; extern int ipport_stoprandom; extern int ipport_tcpallocs; extern struct callout ipport_tick_callout; diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index aac2104..8af52f2 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -193,6 +193,7 @@ struct protosw inetsw[] = { .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, .pr_input = icmp_input, .pr_ctloutput = rip_ctloutput, + .pr_init = icmp_init, .pr_usrreqs = &rip_usrreqs }, { diff --git a/sys/netinet/in_rmx.c b/sys/netinet/in_rmx.c index 66b8bb3..d70aaa6 100644 --- a/sys/netinet/in_rmx.c +++ b/sys/netinet/in_rmx.c @@ -151,17 +151,20 @@ in_matroute(void *v_arg, struct radix_node_head *head) return rn; } -static int rtq_reallyold = 60*60; /* one hour is "really old" */ +#ifdef VIMAGE_GLOBALS +static int rtq_reallyold; +static int rtq_minreallyold; +static int rtq_toomany; +#endif + SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_RTEXPIRE, rtexpire, CTLFLAG_RW, rtq_reallyold, 0, "Default expiration time on dynamically learned routes"); -static int rtq_minreallyold = 10; /* never automatically crank down to less */ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_RTMINEXPIRE, rtminexpire, CTLFLAG_RW, rtq_minreallyold, 0, "Minimum time to attempt to hold onto dynamically learned routes"); -static int rtq_toomany = 128; /* 128 cached routes is "too many" */ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_RTMAXCACHE, rtmaxcache, CTLFLAG_RW, rtq_toomany, 0, "Upper limit on dynamically learned routes"); @@ -256,8 +259,10 @@ in_rtqkill(struct radix_node *rn, void *rock) } #define RTQ_TIMEOUT 60*10 /* run no less than once every ten minutes */ -static int rtq_timeout = RTQ_TIMEOUT; +#ifdef VIMAGE_GLOBALS +static int rtq_timeout; static struct callout rtq_timer; +#endif static void in_rtqtimo_one(void *rock); @@ -376,6 +381,11 @@ in_inithead(void **head, int off) if (off == 0) /* XXX MRT see above */ return 1; /* only do the rest for a real routing table */ + V_rtq_reallyold = 60*60; /* one hour is "really old" */ + V_rtq_minreallyold = 10; /* never automatically crank down to less */ + V_rtq_toomany = 128; /* 128 cached routes is "too many" */ + V_rtq_timeout = RTQ_TIMEOUT; + rnh = *head; rnh->rnh_addaddr = in_addroute; rnh->rnh_matchaddr = in_matroute; diff --git a/sys/netinet/in_var.h b/sys/netinet/in_var.h index 4999e90..1190826 100644 --- a/sys/netinet/in_var.h +++ b/sys/netinet/in_var.h @@ -138,6 +138,15 @@ do { \ #endif /* + * IP datagram reassembly. + */ +#define IPREASS_NHASH_LOG2 6 +#define IPREASS_NHASH (1 << IPREASS_NHASH_LOG2) +#define IPREASS_HMASK (IPREASS_NHASH - 1) +#define IPREASS_HASH(x,y) \ + (((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK) + +/* * This information should be part of the ifnet structure but we don't wish * to change that - as it might break a number of things */ diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index bac4534..dc000cb 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -112,8 +112,10 @@ __FBSDID("$FreeBSD$"); */ /* Internal variables. */ +#ifdef VIMAGE_GLOBALS static struct inpcbhead divcb; static struct inpcbinfo divcbinfo; +#endif static u_long div_sendspace = DIVSNDQ; /* XXX sysctl ? */ static u_long div_recvspace = DIVRCVQ; /* XXX sysctl ? */ diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index 4cdfd6b..7af1758 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -106,7 +106,9 @@ __FBSDID("$FreeBSD$"); #include <machine/in_cksum.h> -static int ipfastforward_active = 0; +#ifdef VIMAGE_GLOBALS +static int ipfastforward_active; +#endif SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, fastforwarding, CTLFLAG_RW, ipfastforward_active, 0, "Enable fast IP forwarding"); diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 2487533..e631dae 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -77,47 +77,51 @@ __FBSDID("$FreeBSD$"); * host table maintenance routines. */ -struct icmpstat icmpstat; +#ifdef VIMAGE_GLOBALS +struct icmpstat icmpstat; +static int icmpmaskrepl; +static u_int icmpmaskfake; +static int drop_redirect; +static int log_redirect; +static int icmplim; +static int icmplim_output; +static char reply_src[IFNAMSIZ]; +static int icmp_rfi; +static int icmp_quotelen; +static int icmpbmcastecho; +#endif + SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_STATS, stats, CTLFLAG_RW, icmpstat, icmpstat, ""); -static int icmpmaskrepl = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, icmpmaskrepl, 0, "Reply to ICMP Address Mask Request packets."); -static u_int icmpmaskfake = 0; SYSCTL_V_UINT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, maskfake, CTLFLAG_RW, icmpmaskfake, 0, "Fake reply to ICMP Address Mask Request packets."); -static int drop_redirect = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW, drop_redirect, 0, "Ignore ICMP redirects"); -static int log_redirect = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_RW, log_redirect, 0, "Log ICMP redirects to the console"); -static int icmplim = 200; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW, icmplim, 0, "Maximum number of ICMP responses per second"); -static int icmplim_output = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW, icmplim_output, 0, "Enable rate limiting of ICMP responses"); -static char reply_src[IFNAMSIZ]; SYSCTL_V_STRING(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, reply_src, CTLFLAG_RW, reply_src, IFNAMSIZ, "icmp reply source for non-local packets."); -static int icmp_rfi = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, reply_from_interface, CTLFLAG_RW, icmp_rfi, 0, "ICMP reply from incoming interface for " "non-local packets"); -static int icmp_quotelen = 8; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_RW, icmp_quotelen, 0, "Number of bytes from original packet to " "quote in ICMP reply"); @@ -126,7 +130,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_RW, * ICMP broadcast echo sysctl */ -static int icmpbmcastecho = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, icmpbmcastecho, 0, ""); @@ -140,6 +143,22 @@ static void icmp_send(struct mbuf *, struct mbuf *); extern struct protosw inetsw[]; +void +icmp_init(void) +{ + INIT_VNET_INET(curvnet); + + V_icmpmaskrepl = 0; + V_icmpmaskfake = 0; + V_drop_redirect = 0; + V_log_redirect = 0; + V_icmplim = 200; + V_icmplim_output = 1; + V_icmp_rfi = 0; + V_icmp_quotelen = 8; + V_icmpbmcastecho = 0; +} + /* * Generate an error packet of type error * in response to bad packet ip. diff --git a/sys/netinet/ip_icmp.h b/sys/netinet/ip_icmp.h index e212083..a55c6fc 100644 --- a/sys/netinet/ip_icmp.h +++ b/sys/netinet/ip_icmp.h @@ -204,6 +204,7 @@ struct icmp { #ifdef _KERNEL void icmp_error(struct mbuf *, int, int, n_long, int); void icmp_input(struct mbuf *, int); +void icmp_init(void); int ip_next_mtu(int, int); #endif diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index ce92c2f..8e40d84 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -89,33 +89,47 @@ __FBSDID("$FreeBSD$"); CTASSERT(sizeof(struct ip) == 20); #endif -int rsvp_on = 0; +#ifdef VIMAGE_GLOBALS +static int ipsendredirects; +static int ip_checkinterface; +static int ip_keepfaith; +static int ip_sendsourcequench; +int ip_defttl; +int ip_do_randomid; +int ipforwarding; +struct in_ifaddrhead in_ifaddrhead; /* first inet address */ +struct in_ifaddrhashhead *in_ifaddrhashtbl; /* inet addr hash table */ +u_long in_ifaddrhmask; /* mask for hash table */ +struct ipstat ipstat; +static int ip_rsvp_on; +struct socket *ip_rsvpd; +int rsvp_on; +static TAILQ_HEAD(ipqhead, ipq) ipq[IPREASS_NHASH]; +static int maxnipq; /* Administrative limit on # reass queues. */ +static int maxfragsperpacket; +int ipstealth; +static int nipq; /* Total # of reass queues */ +#endif -int ipforwarding = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW, ipforwarding, 0, "Enable IP forwarding between interfaces"); -static int ipsendredirects = 1; /* XXX */ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW, ipsendredirects, 0, "Enable sending IP redirects"); -int ip_defttl = IPDEFTTL; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_DEFTTL, ttl, CTLFLAG_RW, ip_defttl, 0, "Maximum TTL on IP packets"); -static int ip_keepfaith = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_KEEPFAITH, keepfaith, CTLFLAG_RW, ip_keepfaith, 0, "Enable packet capture for FAITH IPv4->IPv6 translater daemon"); -static int ip_sendsourcequench = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, sendsourcequench, CTLFLAG_RW, ip_sendsourcequench, 0, "Enable the transmission of source quench packets"); -int ip_do_randomid = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, random_id, CTLFLAG_RW, ip_do_randomid, 0, "Assign random ip_id values"); @@ -132,7 +146,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, random_id, * to the loopback interface instead of the interface where the * packets for those addresses are received. */ -static int ip_checkinterface = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW, ip_checkinterface, 0, "Verify packet arrives on correct interface"); @@ -145,9 +158,6 @@ static int ipqmaxlen = IFQ_MAXLEN; extern struct domain inetdomain; extern struct protosw inetsw[]; u_char ip_protox[IPPROTO_MAX]; -struct in_ifaddrhead in_ifaddrhead; /* first inet address */ -struct in_ifaddrhashhead *in_ifaddrhashtbl; /* inet addr hash table */ -u_long in_ifaddrhmask; /* mask for hash table */ SYSCTL_INT(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen, CTLFLAG_RW, &ipintrq.ifq_maxlen, 0, "Maximum size of the IP input queue"); @@ -155,21 +165,10 @@ SYSCTL_INT(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops, CTLFLAG_RD, &ipintrq.ifq_drops, 0, "Number of packets dropped from the IP input queue"); -struct ipstat ipstat; SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_ip, IPCTL_STATS, stats, CTLFLAG_RW, ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)"); -/* - * IP datagram reassembly. - */ -#define IPREASS_NHASH_LOG2 6 -#define IPREASS_NHASH (1 << IPREASS_NHASH_LOG2) -#define IPREASS_HMASK (IPREASS_NHASH - 1) -#define IPREASS_HASH(x,y) \ - (((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK) - static uma_zone_t ipq_zone; -static TAILQ_HEAD(ipqhead, ipq) ipq[IPREASS_NHASH]; static struct mtx ipqlock; #define IPQ_LOCK() mtx_lock(&ipqlock) @@ -180,13 +179,10 @@ static struct mtx ipqlock; static void maxnipq_update(void); static void ipq_zone_change(void *); -static int maxnipq; /* Administrative limit on # reass queues. */ -static int nipq = 0; /* Total # of reass queues */ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, fragpackets, CTLFLAG_RD, nipq, 0, "Current number of IPv4 fragment reassembly queue entries"); -static int maxfragsperpacket; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, maxfragsperpacket, CTLFLAG_RW, maxfragsperpacket, 0, "Maximum number of IPv4 fragments allowed per packet"); @@ -199,7 +195,6 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW, #endif #ifdef IPSTEALTH -int ipstealth = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW, ipstealth, 0, "IP stealth mode, no TTL decrementation on forwarding"); #endif @@ -225,6 +220,37 @@ ip_init(void) struct protosw *pr; int i; + V_ipsendredirects = 1; /* XXX */ + V_ip_checkinterface = 0; + V_ip_keepfaith = 0; + V_ip_sendsourcequench = 0; + V_rsvp_on = 0; + V_ip_defttl = IPDEFTTL; + V_ip_do_randomid = 0; + V_ipforwarding = 0; + V_ipstealth = 0; + V_nipq = 0; /* Total # of reass queues */ + + V_ipport_lowfirstauto = IPPORT_RESERVED - 1; /* 1023 */ + V_ipport_lowlastauto = IPPORT_RESERVEDSTART; /* 600 */ + V_ipport_firstauto = IPPORT_EPHEMERALFIRST; /* 10000 */ + V_ipport_lastauto = IPPORT_EPHEMERALLAST; /* 65535 */ + V_ipport_hifirstauto = IPPORT_HIFIRSTAUTO; /* 49152 */ + V_ipport_hilastauto = IPPORT_HILASTAUTO; /* 65535 */ + V_ipport_reservedhigh = IPPORT_RESERVED - 1; /* 1023 */ + V_ipport_reservedlow = 0; + V_ipport_randomized = 1; /* user controlled via sysctl */ + V_ipport_randomcps = 10; /* user controlled via sysctl */ + V_ipport_randomtime = 45; /* user controlled via sysctl */ + V_ipport_stoprandom = 0; /* toggled by ipport_tick */ + +#ifdef NOTYET + /* XXX global static but not instantiated in this file */ + V_ipfastforward_active = 0; + V_subnetsarelocal = 0; + V_sameprefixcarponly = 0; +#endif + TAILQ_INIT(&V_in_ifaddrhead); V_in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, &V_in_ifaddrhmask); pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW); @@ -1591,8 +1617,6 @@ makedummy: * locking. This code remains in ip_input.c as ip_mroute.c is optionally * compiled. */ -static int ip_rsvp_on; -struct socket *ip_rsvpd; int ip_rsvp_init(struct socket *so) { diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 7612f67..75ef09d 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -83,7 +83,9 @@ __FBSDID("$FreeBSD$"); (ntohl(a.s_addr)>>8)&0xFF,\ (ntohl(a.s_addr))&0xFF, y); +#ifdef VIMAGE_GLOBALS u_short ip_id; +#endif #ifdef MBUF_STRESS_TEST int mbuf_frag_size = 0; diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 8eca00a..dfe902e 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -76,8 +76,10 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_framework.h> +#ifdef VIMAGE_GLOBALS struct inpcbhead ripcb; struct inpcbinfo ripcbinfo; +#endif /* control hooks for ipfw and dummynet */ ip_fw_ctl_t *ip_fw_ctl_ptr = NULL; @@ -91,7 +93,9 @@ ip_dn_ctl_t *ip_dn_ctl_ptr = NULL; /* * The socket used to communicate with the multicast routing daemon. */ +#ifdef VIMAGE_GLOBALS struct socket *ip_mrouter; +#endif /* * The various mrouter and rsvp functions. diff --git a/sys/netinet/tcp_hostcache.c b/sys/netinet/tcp_hostcache.c index ec8f9ba..25dc44a 100644 --- a/sys/netinet/tcp_hostcache.c +++ b/sys/netinet/tcp_hostcache.c @@ -146,9 +146,11 @@ struct tcp_hostcache { int prune; int purgeall; }; -static struct tcp_hostcache tcp_hostcache; +#ifdef VIMAGE_GLOBALS +static struct tcp_hostcache tcp_hostcache; static struct callout tcp_hc_callout; +#endif static struct hc_metrics *tcp_hc_lookup(struct in_conninfo *); static struct hc_metrics *tcp_hc_insert(struct in_conninfo *); diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index a7515ef..4c17f10d 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -99,7 +99,21 @@ __FBSDID("$FreeBSD$"); static const int tcprexmtthresh = 3; +#ifdef VIMAGE_GLOBALS struct tcpstat tcpstat; +int blackhole; +int tcp_delack_enabled; +int drop_synfin; +int tcp_do_rfc3042; +int tcp_do_rfc3390; +int tcp_do_ecn; +int tcp_ecn_maxretries; +int tcp_insecure_rst; +int tcp_do_autorcvbuf; +int tcp_autorcvbuf_inc; +int tcp_autorcvbuf_max; +#endif + SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_STATS, stats, CTLFLAG_RW, tcpstat , tcpstat, "TCP statistics (struct tcpstat, netinet/tcp_var.h)"); @@ -108,59 +122,50 @@ int tcp_log_in_vain = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW, &tcp_log_in_vain, 0, "Log all incoming TCP segments to closed ports"); -static int blackhole = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW, blackhole, 0, "Do not send RST on segments to closed ports"); -int tcp_delack_enabled = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, tcp_delack_enabled, 0, "Delay ACK to try and piggyback it onto a data packet"); -static int drop_synfin = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW, drop_synfin, 0, "Drop TCP packets with SYN+FIN set"); -static int tcp_do_rfc3042 = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW, tcp_do_rfc3042, 0, "Enable RFC 3042 (Limited Transmit)"); -static int tcp_do_rfc3390 = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, rfc3390, CTLFLAG_RW, tcp_do_rfc3390, 0, "Enable RFC 3390 (Increasing TCP's Initial Congestion Window)"); -int tcp_do_ecn = 0; -int tcp_ecn_maxretries = 1; SYSCTL_NODE(_net_inet_tcp, OID_AUTO, ecn, CTLFLAG_RW, 0, "TCP ECN"); SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_ecn, OID_AUTO, enable, CTLFLAG_RW, tcp_do_ecn, 0, "TCP ECN support"); SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_ecn, OID_AUTO, maxretries, CTLFLAG_RW, tcp_ecn_maxretries, 0, "Max retries before giving up on ECN"); -static int tcp_insecure_rst = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, insecure_rst, CTLFLAG_RW, tcp_insecure_rst, 0, "Follow the old (insecure) criteria for accepting RST packets"); -int tcp_do_autorcvbuf = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, recvbuf_auto, CTLFLAG_RW, tcp_do_autorcvbuf, 0, "Enable automatic receive buffer sizing"); -int tcp_autorcvbuf_inc = 16*1024; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, recvbuf_inc, CTLFLAG_RW, tcp_autorcvbuf_inc, 0, "Incrementor step size of automatic receive buffer"); -int tcp_autorcvbuf_max = 256*1024; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, recvbuf_max, CTLFLAG_RW, tcp_autorcvbuf_max, 0, "Max size of automatic receive buffer"); +#ifdef VIMAGE_GLOBALS struct inpcbhead tcb; -#define tcb6 tcb /* for KAME src sync over BSD*'s */ struct inpcbinfo tcbinfo; +#endif +#define tcb6 tcb /* for KAME src sync over BSD*'s */ static void tcp_dooptions(struct tcpopt *, u_char *, int, int); static void tcp_do_segment(struct mbuf *, struct tcphdr *, diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index b3a010b..ab92905 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -87,39 +87,42 @@ __FBSDID("$FreeBSD$"); extern struct mbuf *m_copypack(); #endif -int path_mtu_discovery = 1; +#ifdef VIMAGE_GLOBALS +int path_mtu_discovery; +int ss_fltsz; +int ss_fltsz_local; +int tcp_do_newreno; +int tcp_do_tso; +int tcp_do_autosndbuf; +int tcp_autosndbuf_inc; +int tcp_autosndbuf_max; +#endif + SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW, path_mtu_discovery, 1, "Enable Path MTU Discovery"); -int ss_fltsz = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, slowstart_flightsize, CTLFLAG_RW, ss_fltsz, 1, "Slow start flight size"); -int ss_fltsz_local = 4; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, local_slowstart_flightsize, CTLFLAG_RW, ss_fltsz_local, 1, "Slow start flight size for local networks"); -int tcp_do_newreno = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, newreno, CTLFLAG_RW, tcp_do_newreno, 0, "Enable NewReno Algorithms"); -int tcp_do_tso = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, tso, CTLFLAG_RW, tcp_do_tso, 0, "Enable TCP Segmentation Offload"); -int tcp_do_autosndbuf = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, sendbuf_auto, CTLFLAG_RW, tcp_do_autosndbuf, 0, "Enable automatic send buffer sizing"); -int tcp_autosndbuf_inc = 8*1024; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, sendbuf_inc, CTLFLAG_RW, tcp_autosndbuf_inc, 0, "Incrementor step size of automatic send buffer"); -int tcp_autosndbuf_max = 256*1024; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, sendbuf_max, CTLFLAG_RW, tcp_autosndbuf_max, 0, "Max size of automatic send buffer"); diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 6f55e11..5f47be0 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -74,25 +74,28 @@ __FBSDID("$FreeBSD$"); #include <netinet/tcp_debug.h> #endif /* TCPDEBUG */ +#ifdef VIMAGE_GLOBALS +static int tcp_reass_maxseg; +int tcp_reass_qsize; +static int tcp_reass_maxqlen; +static int tcp_reass_overflows; +#endif + SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0, "TCP Segment Reassembly Queue"); -static int tcp_reass_maxseg = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN, tcp_reass_maxseg, 0, "Global maximum number of TCP Segments in Reassembly Queue"); -int tcp_reass_qsize = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, cursegments, CTLFLAG_RD, tcp_reass_qsize, 0, "Global number of TCP Segments currently in Reassembly Queue"); -static int tcp_reass_maxqlen = 48; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, maxqlen, CTLFLAG_RW, tcp_reass_maxqlen, 0, "Maximum number of TCP Segments per individual Reassembly Queue"); -static int tcp_reass_overflows = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, overflows, CTLFLAG_RD, tcp_reass_overflows, 0, "Global number of TCP Segment Reassembly Queue Overflows"); @@ -114,6 +117,11 @@ tcp_reass_init(void) { INIT_VNET_INET(curvnet); + V_tcp_reass_maxseg = 0; + V_tcp_reass_qsize = 0; + V_tcp_reass_maxqlen = 48; + V_tcp_reass_overflows = 0; + V_tcp_reass_maxseg = nmbclusters / 16; TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments", &V_tcp_reass_maxseg); diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c index 3c6ceca..9eb57ba 100644 --- a/sys/netinet/tcp_sack.c +++ b/sys/netinet/tcp_sack.c @@ -124,23 +124,26 @@ __FBSDID("$FreeBSD$"); extern struct uma_zone *sack_hole_zone; +#ifdef VIMAGE_GLOBALS +int tcp_do_sack; +int tcp_sack_maxholes; +int tcp_sack_globalmaxholes; +int tcp_sack_globalholes; +#endif + SYSCTL_NODE(_net_inet_tcp, OID_AUTO, sack, CTLFLAG_RW, 0, "TCP SACK"); -int tcp_do_sack = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, enable, CTLFLAG_RW, tcp_do_sack, 0, "Enable/Disable TCP SACK support"); TUNABLE_INT("net.inet.tcp.sack.enable", &tcp_do_sack); -static int tcp_sack_maxholes = 128; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, maxholes, CTLFLAG_RW, tcp_sack_maxholes, 0, "Maximum number of TCP SACK holes allowed per connection"); -static int tcp_sack_globalmaxholes = 65536; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, globalmaxholes, CTLFLAG_RW, tcp_sack_globalmaxholes, 0, "Global maximum number of TCP SACK holes"); -static int tcp_sack_globalholes = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, globalholes, CTLFLAG_RD, tcp_sack_globalholes, 0, "Global number of TCP SACK holes currently allocated"); diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 02d654b..e28d40c 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -111,9 +111,20 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_framework.h> -int tcp_mssdflt = TCP_MSS; +#ifdef VIMAGE_GLOBALS +int tcp_mssdflt; #ifdef INET6 -int tcp_v6mssdflt = TCP6_MSS; +int tcp_v6mssdflt; +#endif +int tcp_minmss; +int tcp_do_rfc1323; +static int icmp_may_rst; +static int tcp_isn_reseed_interval; +static int tcp_inflight_enable; +static int tcp_inflight_rttthresh; +static int tcp_inflight_min; +static int tcp_inflight_max; +static int tcp_inflight_stab; #endif static int @@ -168,11 +179,9 @@ SYSCTL_PROC(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt, CTLTYPE_INT|CTLFLAG_RW, * with packet generation and sending. Set to zero to disable MINMSS * checking. This setting prevents us from sending too small packets. */ -int tcp_minmss = TCP_MINMSS; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW, tcp_minmss , 0, "Minmum TCP Maximum Segment Size"); -int tcp_do_rfc1323 = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW, tcp_do_rfc1323, 0, "Enable rfc1323 (high performance TCP) extensions"); @@ -192,12 +201,10 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW, &do_tcpdrain, 0, SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, pcbcount, CTLFLAG_RD, tcbinfo.ipi_count, 0, "Number of active PCBs"); -static int icmp_may_rst = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, icmp_may_rst, 0, "Certain ICMP unreachable messages may abort connections in SYN_SENT"); -static int tcp_isn_reseed_interval = 0; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW, tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret"); @@ -210,7 +217,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, isn_reseed_interval, SYSCTL_NODE(_net_inet_tcp, OID_AUTO, inflight, CTLFLAG_RW, 0, "TCP inflight data limiting"); -static int tcp_inflight_enable = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, enable, CTLFLAG_RW, tcp_inflight_enable, 0, "Enable automatic TCP inflight data limiting"); @@ -219,20 +225,16 @@ static int tcp_inflight_debug = 0; SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, debug, CTLFLAG_RW, &tcp_inflight_debug, 0, "Debug TCP inflight calculations"); -static int tcp_inflight_rttthresh; SYSCTL_PROC(_net_inet_tcp_inflight, OID_AUTO, rttthresh, CTLTYPE_INT|CTLFLAG_RW, &tcp_inflight_rttthresh, 0, sysctl_msec_to_ticks, "I", "RTT threshold below which inflight will deactivate itself"); -static int tcp_inflight_min = 6144; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, min, CTLFLAG_RW, tcp_inflight_min, 0, "Lower-bound for TCP inflight window"); -static int tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, max, CTLFLAG_RW, tcp_inflight_max, 0, "Upper-bound for TCP inflight window"); -static int tcp_inflight_stab = 20; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, stab, CTLFLAG_RW, tcp_inflight_stab, 0, "Inflight Algorithm Stabilization 20 = 2 packets"); @@ -297,8 +299,49 @@ void tcp_init(void) { INIT_VNET_INET(curvnet); + int hashsize; + + V_blackhole = 0; + V_tcp_delack_enabled = 1; + V_drop_synfin = 0; + V_tcp_do_rfc3042 = 1; + V_tcp_do_rfc3390 = 1; + V_tcp_do_ecn = 0; + V_tcp_ecn_maxretries = 1; + V_tcp_insecure_rst = 0; + V_tcp_do_autorcvbuf = 1; + V_tcp_autorcvbuf_inc = 16*1024; + V_tcp_autorcvbuf_max = 256*1024; + + V_tcp_mssdflt = TCP_MSS; +#ifdef INET6 + V_tcp_v6mssdflt = TCP6_MSS; +#endif + V_tcp_minmss = TCP_MINMSS; + V_tcp_do_rfc1323 = 1; + V_icmp_may_rst = 1; + V_tcp_isn_reseed_interval = 0; + V_tcp_inflight_enable = 1; + V_tcp_inflight_min = 6144; + V_tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT; + V_tcp_inflight_stab = 20; + + V_path_mtu_discovery = 1; + V_ss_fltsz = 1; + V_ss_fltsz_local = 4; + V_tcp_do_newreno = 1; + V_tcp_do_tso = 1; + V_tcp_do_autosndbuf = 1; + V_tcp_autosndbuf_inc = 8*1024; + V_tcp_autosndbuf_max = 256*1024; + + V_nolocaltimewait = 0; + + V_tcp_do_sack = 1; + V_tcp_sack_maxholes = 128; + V_tcp_sack_globalmaxholes = 65536; + V_tcp_sack_globalholes = 0; - int hashsize = TCBHASHSIZE; tcp_delacktime = TCPTV_DELACK; tcp_keepinit = TCPTV_KEEP_INIT; tcp_keepidle = TCPTV_KEEP_IDLE; @@ -315,6 +358,7 @@ tcp_init(void) INP_INFO_LOCK_INIT(&V_tcbinfo, "tcp"); LIST_INIT(&V_tcb); V_tcbinfo.ipi_listhead = &V_tcb; + hashsize = TCBHASHSIZE; TUNABLE_INT_FETCH("net.inet.tcp.tcbhashsize", &hashsize); if (!powerof2(hashsize)) { printf("WARNING: TCB hash size not a power of 2\n"); @@ -1429,10 +1473,12 @@ tcp6_ctlinput(int cmd, struct sockaddr *sa, void *d) #define ISN_STATIC_INCREMENT 4096 #define ISN_RANDOM_INCREMENT (4096 - 1) +#ifdef VIMAGE_GLOBALS static u_char isn_secret[32]; static int isn_last_reseed; static u_int32_t isn_offset, isn_offset_old; static MD5_CTX isn_ctx; +#endif tcp_seq tcp_new_isn(struct tcpcb *tp) diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index c9f3b4f..a69b0b2 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -98,12 +98,17 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_framework.h> -static int tcp_syncookies = 1; +#ifdef VIMAGE_GLOBALS +static struct tcp_syncache tcp_syncache; +static int tcp_syncookies; +static int tcp_syncookiesonly; +int tcp_sc_rst_sock_fail; +#endif + SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies, CTLFLAG_RW, &tcp_syncookies, 0, "Use TCP SYN cookies if the syncache overflows"); -static int tcp_syncookiesonly = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies_only, CTLFLAG_RW, &tcp_syncookiesonly, 0, "Use only TCP SYN cookies"); @@ -142,8 +147,6 @@ static struct syncache #define TCP_SYNCACHE_HASHSIZE 512 #define TCP_SYNCACHE_BUCKETLIMIT 30 -static struct tcp_syncache tcp_syncache; - SYSCTL_NODE(_net_inet_tcp, OID_AUTO, syncache, CTLFLAG_RW, 0, "TCP SYN cache"); SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO, @@ -166,7 +169,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO, rexmtlimit, CTLFLAG_RW, tcp_syncache.rexmt_limit, 0, "Limit on SYN/ACK retransmissions"); -int tcp_sc_rst_sock_fail = 1; SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO, rst_on_sock_fail, CTLFLAG_RW, tcp_sc_rst_sock_fail, 0, "Send reset on socket allocation failure"); @@ -223,6 +225,10 @@ syncache_init(void) INIT_VNET_INET(curvnet); int i; + V_tcp_syncookies = 1; + V_tcp_syncookiesonly = 0; + V_tcp_sc_rst_sock_fail = 1; + V_tcp_syncache.cache_count = 0; V_tcp_syncache.hashsize = TCP_SYNCACHE_HASHSIZE; V_tcp_syncache.bucket_limit = TCP_SYNCACHE_BUCKETLIMIT; diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 83b8aa6..a97b4a2 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -102,7 +102,10 @@ static int maxtcptw; * queue pointers in each tcptw structure, are protected using the global * tcbinfo lock, which must be held over queue iteration and modification. */ +#ifdef VIMAGE_GLOBALS static TAILQ_HEAD(, tcptw) twq_2msl; +int nolocaltimewait; +#endif static void tcp_tw_2msl_reset(struct tcptw *, int); static void tcp_tw_2msl_stop(struct tcptw *); @@ -147,7 +150,6 @@ SYSCTL_PROC(_net_inet_tcp, OID_AUTO, maxtcptw, CTLTYPE_INT|CTLFLAG_RW, &maxtcptw, 0, sysctl_maxtcptw, "IU", "Maximum number of compressed TCP TIME_WAIT entries"); -static int nolocaltimewait = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, nolocaltimewait, CTLFLAG_RW, &nolocaltimewait, 0, "Do not create compressed TCP TIME_WAIT entries for local connections"); diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index 40f060b..3bef611 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -517,7 +517,26 @@ extern int path_mtu_discovery; extern int ss_fltsz; extern int ss_fltsz_local; +extern int blackhole; +extern int drop_synfin; +extern int tcp_do_rfc3042; +extern int tcp_do_rfc3390; +extern int tcp_insecure_rst; +extern int tcp_do_autorcvbuf; +extern int tcp_autorcvbuf_inc; +extern int tcp_autorcvbuf_max; + +extern int tcp_do_tso; +extern int tcp_do_autosndbuf; +extern int tcp_autosndbuf_inc; +extern int tcp_autosndbuf_max; + +extern int nolocaltimewait; + extern int tcp_do_sack; /* SACK enabled/disabled */ +extern int tcp_sack_maxholes; +extern int tcp_sack_globalmaxholes; +extern int tcp_sack_globalholes; extern int tcp_sc_rst_sock_fail; /* RST on sock alloc failure */ extern int tcp_do_ecn; /* TCP ECN enabled/disabled */ extern int tcp_ecn_maxretries; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index cbfdb6b..9409235 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -95,6 +95,10 @@ __FBSDID("$FreeBSD$"); * Per RFC 768, August, 1980. */ +#ifdef VIMAGE_GLOBALS +int udp_blackhole; +#endif + /* * BSD 4.2 defaulted the udp checksum to be off. Turning off udp checksums * removes the only data integrity mechanism for packets and malformed @@ -109,7 +113,6 @@ int udp_log_in_vain = 0; SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW, &udp_log_in_vain, 0, "Log all incoming UDP packets"); -int udp_blackhole = 0; SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_RW, &udp_blackhole, 0, "Do not send port unreachables for refused connects"); @@ -129,14 +132,16 @@ u_long udp_recvspace = 40 * (1024 + SYSCTL_ULONG(_net_inet_udp, UDPCTL_RECVSPACE, recvspace, CTLFLAG_RW, &udp_recvspace, 0, "Maximum space for incoming UDP datagrams"); +#ifdef VIMAGE_GLOBALS struct inpcbhead udb; /* from udp_var.h */ struct inpcbinfo udbinfo; +struct udpstat udpstat; /* from udp_var.h */ +#endif #ifndef UDBHASHSIZE #define UDBHASHSIZE 128 #endif -struct udpstat udpstat; /* from udp_var.h */ SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_udp, UDPCTL_STATS, stats, CTLFLAG_RW, udpstat, udpstat, "UDP statistics (struct udpstat, netinet/udp_var.h)"); @@ -167,6 +172,8 @@ udp_init(void) { INIT_VNET_INET(curvnet); + V_udp_blackhole = 0; + INP_INFO_LOCK_INIT(&V_udbinfo, "udp"); LIST_INIT(&V_udb); V_udbinfo.ipi_listhead = &V_udb; diff --git a/sys/netinet/vinet.h b/sys/netinet/vinet.h index 1f16dfd..961e772 100644 --- a/sys/netinet/vinet.h +++ b/sys/netinet/vinet.h @@ -319,6 +319,8 @@ struct vnet_inet { #define V_tcp_sack_maxholes VNET_INET(tcp_sack_maxholes) #define V_tcp_sc_rst_sock_fail VNET_INET(tcp_sc_rst_sock_fail) #define V_tcp_syncache VNET_INET(tcp_syncache) +#define V_tcp_syncookies VNET_INET(tcp_syncookies) +#define V_tcp_syncookiesonly VNET_INET(tcp_syncookiesonly) #define V_tcp_v6mssdflt VNET_INET(tcp_v6mssdflt) #define V_tcpstat VNET_INET(tcpstat) #define V_twq_2msl VNET_INET(twq_2msl) diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index 961af87..391ce92 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -77,9 +77,11 @@ static struct mtx ip6qlock; /* * These fields all protected by ip6qlock. */ +#ifdef VIMAGE_GLOBALS static u_int frag6_nfragpackets; static u_int frag6_nfrags; static struct ip6q ip6q; /* ip6 reassemble queue */ +#endif #define IP6Q_LOCK_INIT() mtx_init(&ip6qlock, "ip6qlock", NULL, MTX_DEF); #define IP6Q_LOCK() mtx_lock(&ip6qlock) diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 65ef96c..4a1557f 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -108,16 +108,17 @@ __FBSDID("$FreeBSD$"); #endif extern struct domain inet6domain; - -struct icmp6stat icmp6stat; - extern struct inpcbinfo ripcbinfo; extern struct inpcbhead ripcb; extern int icmp6errppslim; -static int icmp6errpps_count = 0; -static struct timeval icmp6errppslim_last; extern int icmp6_nodeinfo; +#ifdef VIMAGE_GLOBALS +struct icmp6stat icmp6stat; +static int icmp6errpps_count; +static struct timeval icmp6errppslim_last; +#endif + static void icmp6_errcount(struct icmp6errstat *, int, int); static int icmp6_rip6_input(struct mbuf **, int); static int icmp6_ratelimit(const struct in6_addr *, const int, const int); @@ -138,6 +139,8 @@ icmp6_init(void) { INIT_VNET_INET6(curvnet); + V_icmp6errpps_count = 0; + mld6_init(); } diff --git a/sys/netinet6/in6_ifattach.c b/sys/netinet6/in6_ifattach.c index a51f59c..3fdfc8c 100644 --- a/sys/netinet6/in6_ifattach.c +++ b/sys/netinet6/in6_ifattach.c @@ -61,15 +61,11 @@ __FBSDID("$FreeBSD$"); #include <netinet6/nd6.h> #include <netinet6/scope6_var.h> -unsigned long in6_maxmtu = 0; - -#ifdef IP6_AUTO_LINKLOCAL -int ip6_auto_linklocal = IP6_AUTO_LINKLOCAL; -#else -int ip6_auto_linklocal = 1; /* enable by default */ -#endif - +#ifdef VIMAGE_GLOBALS +unsigned long in6_maxmtu; +int ip6_auto_linklocal; struct callout in6_tmpaddrtimer_ch; +#endif extern struct inpcbinfo udbinfo; extern struct inpcbinfo ripcbinfo; diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index ca221fe..c4ded5e 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -368,73 +368,56 @@ DOMAIN_SET(inet6); /* * Internet configuration info */ -#ifndef IPV6FORWARDING -#ifdef GATEWAY6 -#define IPV6FORWARDING 1 /* forward IP6 packets not for us */ -#else -#define IPV6FORWARDING 0 /* don't forward IP6 packets not for us */ -#endif /* GATEWAY6 */ -#endif /* !IPV6FORWARDING */ - -#ifndef IPV6_SENDREDIRECTS -#define IPV6_SENDREDIRECTS 1 -#endif - -int ip6_forwarding = IPV6FORWARDING; /* act as router? */ -int ip6_sendredirects = IPV6_SENDREDIRECTS; -int ip6_defhlim = IPV6_DEFHLIM; -int ip6_defmcasthlim = IPV6_DEFAULT_MULTICAST_HOPS; -int ip6_accept_rtadv = 0; /* "IPV6FORWARDING ? 0 : 1" is dangerous */ -int ip6_maxfragpackets; /* initialized in frag6.c:frag6_init() */ -int ip6_maxfrags; /* initialized in frag6.c:frag6_init() */ -int ip6_log_interval = 5; -int ip6_hdrnestlimit = 15; /* How many header options will we process? */ -int ip6_dad_count = 1; /* DupAddrDetectionTransmits */ -int ip6_auto_flowlabel = 1; -int ip6_gif_hlim = 0; -int ip6_use_deprecated = 1; /* allow deprecated addr (RFC2462 5.5.4) */ -int ip6_rr_prune = 5; /* router renumbering prefix - * walk list every 5 sec. */ -int ip6_mcast_pmtu = 0; /* enable pMTU discovery for multicast? */ -int ip6_v6only = 1; - -int ip6_keepfaith = 0; -time_t ip6_log_time = (time_t)0L; -#ifdef IPSTEALTH -int ip6stealth = 0; +#ifdef VIMAGE_GLOBALS +int ip6_forwarding; +int ip6_sendredirects; +int ip6_defhlim; +int ip6_defmcasthlim; +int ip6_accept_rtadv; +int ip6_maxfragpackets; +int ip6_maxfrags; +int ip6_log_interval; +int ip6_hdrnestlimit; +int ip6_dad_count; +int ip6_auto_flowlabel; +int ip6_use_deprecated; +int ip6_rr_prune; +int ip6_mcast_pmtu; +int ip6_v6only; +int ip6_keepfaith; +time_t ip6_log_time; +int ip6stealth; +int nd6_onlink_ns_rfc4861; #endif -int nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (as in RFC 4861) */ +#ifdef VIMAGE_GLOBALS /* icmp6 */ /* * BSDI4 defines these variables in in_proto.c... * XXX: what if we don't define INET? Should we define pmtu6_expire * or so? (jinmei@kame.net 19990310) */ -int pmtu_expire = 60*10; -int pmtu_probe = 60*2; +int pmtu_expire; +int pmtu_probe; /* raw IP6 parameters */ /* * Nominal space allocated to a raw ip socket. */ -#define RIPV6SNDQ 8192 -#define RIPV6RCVQ 8192 - -u_long rip6_sendspace = RIPV6SNDQ; -u_long rip6_recvspace = RIPV6RCVQ; +u_long rip6_sendspace; +u_long rip6_recvspace; /* ICMPV6 parameters */ -int icmp6_rediraccept = 1; /* accept and process redirects */ -int icmp6_redirtimeout = 10 * 60; /* 10 minutes */ -int icmp6errppslim = 100; /* 100pps */ +int icmp6_rediraccept; +int icmp6_redirtimeout; +int icmp6errppslim; /* control how to respond to NI queries */ -int icmp6_nodeinfo = (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK); +int icmp6_nodeinfo; /* UDP on IP6 parameters */ -int udp6_sendspace = 9216; /* really max datagram size */ -int udp6_recvspace = 40 * (1024 + sizeof(struct sockaddr_in6)); - /* 40 1K datagrams */ +int udp6_sendspace; +int udp6_recvspace; +#endif /* VIMAGE_GLOBALS */ /* * sysctl related items. diff --git a/sys/netinet6/in6_rmx.c b/sys/netinet6/in6_rmx.c index ff426dc..0936a92 100644 --- a/sys/netinet6/in6_rmx.c +++ b/sys/netinet6/in6_rmx.c @@ -219,18 +219,18 @@ in6_matroute(void *v_arg, struct radix_node_head *head) SYSCTL_DECL(_net_inet6_ip6); -static int rtq_reallyold6 = 60*60; - /* one hour is ``really old'' */ +#ifdef VIMAGE_GLOBALS +static int rtq_reallyold6; +static int rtq_minreallyold6; +static int rtq_toomany6; +#endif + SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RTEXPIRE, rtexpire, CTLFLAG_RW, &rtq_reallyold6 , 0, ""); -static int rtq_minreallyold6 = 10; - /* never automatically crank down to less */ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RTMINEXPIRE, rtminexpire, CTLFLAG_RW, &rtq_minreallyold6 , 0, ""); -static int rtq_toomany6 = 128; - /* 128 cached routes is ``too many'' */ SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RTMAXCACHE, rtmaxcache, CTLFLAG_RW, &rtq_toomany6 , 0, ""); @@ -324,8 +324,10 @@ in6_rtqkill(struct radix_node *rn, void *rock) } #define RTQ_TIMEOUT 60*10 /* run no less than once every ten minutes */ -static int rtq_timeout6 = RTQ_TIMEOUT; +#ifdef VIMAGE_GLOBALS +static int rtq_timeout6; static struct callout rtq_timer6; +#endif static void in6_rtqtimo(void *rock) @@ -387,7 +389,9 @@ struct mtuex_arg { struct radix_node_head *rnh; time_t nextstop; }; +#ifdef VIMAGE_GLOBALS static struct callout rtq_mtutimer; +#endif static int in6_mtuexpire(struct radix_node *rn, void *rock) @@ -478,6 +482,11 @@ in6_inithead(void **head, int off) if (off == 0) /* See above */ return 1; /* only do the rest for the real thing */ + V_rtq_reallyold6 = 60*60; /* one hour is ``really old'' */ + V_rtq_minreallyold6 = 10; /* never automatically crank down to less */ + V_rtq_toomany6 = 128; /* 128 cached routes is ``too many'' */ + V_rtq_timeout6 = RTQ_TIMEOUT; + rnh = *head; rnh->rnh_addaddr = in6_addroute; rnh->rnh_matchaddr = in6_matroute; diff --git a/sys/netinet6/in6_src.c b/sys/netinet6/in6_src.c index 1bb673d..b38869e 100644 --- a/sys/netinet6/in6_src.c +++ b/sys/netinet6/in6_src.c @@ -119,9 +119,11 @@ static struct sx addrsel_sxlock; #define ADDRSEL_XUNLOCK() sx_xunlock(&addrsel_sxlock) #define ADDR_LABEL_NOTAPP (-1) -struct in6_addrpolicy defaultaddrpolicy; -int ip6_prefer_tempaddr = 0; +#ifdef VIMAGE_GLOBALS +struct in6_addrpolicy defaultaddrpolicy; +int ip6_prefer_tempaddr; +#endif static int selectroute __P((struct sockaddr_in6 *, struct ip6_pktopts *, struct ip6_moptions *, struct route_in6 *, struct ifnet **, @@ -875,6 +877,8 @@ addrsel_policy_init(void) ADDRSEL_SXLOCK_INIT(); INIT_VNET_INET6(curvnet); + V_ip6_prefer_tempaddr = 0; + init_policy_queue(); /* initialize the "last resort" policy */ @@ -972,7 +976,9 @@ struct addrsel_policyent { TAILQ_HEAD(addrsel_policyhead, addrsel_policyent); +#ifdef VIMAGE_GLOBALS struct addrsel_policyhead addrsel_policytab; +#endif static void init_policy_queue(void) diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 8745b08..7571507 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -76,7 +76,9 @@ __FBSDID("$FreeBSD$"); #include <netinet6/ip6protosw.h> +#ifdef VIMAGE_GLOBALS struct route_in6 ip6_forward_rt; +#endif /* * Forward a packet. If some error occurs return the sender diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 8bd178f..320042f 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -116,21 +116,34 @@ extern struct domain inet6domain; u_char ip6_protox[IPPROTO_MAX]; static struct ifqueue ip6intrq; -static int ip6qmaxlen = IFQ_MAXLEN; + +#ifdef VIMAGE_GLOBALS +static int ip6qmaxlen; struct in6_ifaddr *in6_ifaddr; +struct ip6stat ip6stat; +#endif extern struct callout in6_tmpaddrtimer_ch; +extern int dad_init; +extern int pmtu_expire; +extern int pmtu_probe; +extern u_long rip6_sendspace; +extern u_long rip6_recvspace; +extern int icmp6errppslim; +extern int icmp6_nodeinfo; +extern int udp6_sendspace; +extern int udp6_recvspace; + +#ifdef VIMAGE_GLOBALS int ip6_forward_srcrt; /* XXX */ int ip6_sourcecheck; /* XXX */ int ip6_sourcecheck_interval; /* XXX */ - int ip6_ours_check_algorithm; +#endif struct pfil_head inet6_pfil_hook; -struct ip6stat ip6stat; - static void ip6_init2(void *); static struct ip6aux *ip6_setdstifaddr(struct mbuf *, struct in6_ifaddr *); static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); @@ -149,6 +162,72 @@ ip6_init(void) struct ip6protosw *pr; int i; + V_ip6qmaxlen = IFQ_MAXLEN; + V_in6_maxmtu = 0; +#ifdef IP6_AUTO_LINKLOCAL + V_ip6_auto_linklocal = IP6_AUTO_LINKLOCAL; +#else + V_ip6_auto_linklocal = 1; /* enable by default */ +#endif + +#ifndef IPV6FORWARDING +#ifdef GATEWAY6 +#define IPV6FORWARDING 1 /* forward IP6 packets not for us */ +#else +#define IPV6FORWARDING 0 /* don't forward IP6 packets not for us */ +#endif /* GATEWAY6 */ +#endif /* !IPV6FORWARDING */ + +#ifndef IPV6_SENDREDIRECTS +#define IPV6_SENDREDIRECTS 1 +#endif + + V_ip6_forwarding = IPV6FORWARDING; /* act as router? */ + V_ip6_sendredirects = IPV6_SENDREDIRECTS; + V_ip6_defhlim = IPV6_DEFHLIM; + V_ip6_defmcasthlim = IPV6_DEFAULT_MULTICAST_HOPS; + V_ip6_accept_rtadv = 0; /* "IPV6FORWARDING ? 0 : 1" is dangerous */ + V_ip6_log_interval = 5; + V_ip6_hdrnestlimit = 15; /* How many header options will we process? */ + V_ip6_dad_count = 1; /* DupAddrDetectionTransmits */ + V_ip6_auto_flowlabel = 1; + V_ip6_use_deprecated = 1;/* allow deprecated addr (RFC2462 5.5.4) */ + V_ip6_rr_prune = 5; /* router renumbering prefix + * walk list every 5 sec. */ + V_ip6_mcast_pmtu = 0; /* enable pMTU discovery for multicast? */ + V_ip6_v6only = 1; + V_ip6_keepfaith = 0; + V_ip6_log_time = (time_t)0L; +#ifdef IPSTEALTH + V_ip6stealth = 0; +#endif + V_nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (RFC 4861) */ + + V_pmtu_expire = 60*10; + V_pmtu_probe = 60*2; + + /* raw IP6 parameters */ + /* + * Nominal space allocated to a raw ip socket. + */ +#define RIPV6SNDQ 8192 +#define RIPV6RCVQ 8192 + V_rip6_sendspace = RIPV6SNDQ; + V_rip6_recvspace = RIPV6RCVQ; + + /* ICMPV6 parameters */ + V_icmp6_rediraccept = 1; /* accept and process redirects */ + V_icmp6_redirtimeout = 10 * 60; /* 10 minutes */ + V_icmp6errppslim = 100; /* 100pps */ + /* control how to respond to NI queries */ + V_icmp6_nodeinfo = (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK); + + /* UDP on IP6 parameters */ + V_udp6_sendspace = 9216; /* really max datagram size */ + V_udp6_recvspace = 40 * (1024 + sizeof(struct sockaddr_in6)); + /* 40 1K datagrams */ + V_dad_init = 0; + #ifdef DIAGNOSTIC if (sizeof(struct protosw) != sizeof(struct ip6protosw)) panic("sizeof(protosw) != sizeof(ip6protosw)"); diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c index 61a6e5c..2ae6ed8 100644 --- a/sys/netinet6/ip6_mroute.c +++ b/sys/netinet6/ip6_mroute.c @@ -129,6 +129,7 @@ static MALLOC_DEFINE(M_MRTABLE6, "mf6c", "multicast forwarding cache entry"); static int ip6_mdq(struct mbuf *, struct ifnet *, struct mf6c *); static void phyint_send(struct ip6_hdr *, struct mif6 *, struct mbuf *); +static void pim6_init(void); static int set_pim6(int *); static int socket_send __P((struct socket *, struct mbuf *, struct sockaddr_in6 *)); @@ -146,10 +147,13 @@ struct ip6protosw in6_pim_protosw = { .pr_input = pim6_input, .pr_output = rip6_output, .pr_ctloutput = rip6_ctloutput, + .pr_init = pim6_init, .pr_usrreqs = &rip6_usrreqs }; -static int ip6_mrouter_ver = 0; +#ifdef VIMAGE_GLOBALS +static int ip6_mrouter_ver; +#endif SYSCTL_DECL(_net_inet6); SYSCTL_DECL(_net_inet6_ip6); @@ -177,7 +181,9 @@ SYSCTL_OPAQUE(_net_inet6_ip6, OID_AUTO, mif6table, CTLFLAG_RD, "Multicast Interfaces (struct mif[MAXMIFS], netinet6/ip6_mroute.h)"); #ifdef MRT6DEBUG +#ifdef VIMAGE_GLOBALS static u_int mrt6debug = 0; /* debug level */ +#endif #define DEBUG_MFC 0x02 #define DEBUG_FORWARD 0x04 #define DEBUG_EXPIRE 0x08 @@ -222,7 +228,9 @@ SYSCTL_STRUCT(_net_inet6_pim, PIM6CTL_STATS, stats, CTLFLAG_RD, &pim6stat, pim6stat, "PIM Statistics (struct pim6stat, netinet6/pim_var.h)"); +#ifdef VIMAGE_GLOBALS static int pim6; +#endif /* * Hash function for a source, group entry @@ -302,6 +310,17 @@ int X_ip6_mrouter_set(struct socket *so, struct sockopt *sopt); int X_ip6_mrouter_get(struct socket *so, struct sockopt *sopt); int X_mrt6_ioctl(int cmd, caddr_t data); +static void +pim6_init(void) +{ + INIT_VNET_INET6(curvnet); + + V_ip6_mrouter_ver = 0; +#ifdef MRT6DEBUG + V_mrt6debug = 0; /* debug level */ +#endif +} + /* * Handle MRT setsockopt commands to modify the multicast routing tables. */ diff --git a/sys/netinet6/mld6.c b/sys/netinet6/mld6.c index 7bfd2c4..9c6bbdb 100644 --- a/sys/netinet6/mld6.c +++ b/sys/netinet6/mld6.c @@ -104,7 +104,9 @@ __FBSDID("$FreeBSD$"); */ #define MLD_UNSOLICITED_REPORT_INTERVAL 10 +#ifdef VIMAGE_GLOBALS static struct ip6_pktopts ip6_opts; +#endif static void mld6_sendpkt(struct in6_multi *, int, const struct in6_addr *); static void mld_starttimer(struct in6_multi *); diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 2ea6330..dfe0016 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -79,34 +79,32 @@ __FBSDID("$FreeBSD$"); #define SIN6(s) ((struct sockaddr_in6 *)s) #define SDL(s) ((struct sockaddr_dl *)s) -/* timer values */ -int nd6_prune = 1; /* walk list every 1 seconds */ -int nd6_delay = 5; /* delay first probe time 5 second */ -int nd6_umaxtries = 3; /* maximum unicast query */ -int nd6_mmaxtries = 3; /* maximum multicast query */ -int nd6_useloopback = 1; /* use loopback interface for local traffic */ -int nd6_gctimer = (60 * 60 * 24); /* 1 day: garbage collection timer */ +#ifdef VIMAGE_GLOBALS +int nd6_prune; +int nd6_delay; +int nd6_umaxtries; +int nd6_mmaxtries; +int nd6_useloopback; +int nd6_gctimer; /* preventing too many loops in ND option parsing */ -int nd6_maxndopt = 10; /* max # of ND options allowed */ +int nd6_maxndopt; -int nd6_maxnudhint = 0; /* max # of subsequent upper layer hints */ -int nd6_maxqueuelen = 1; /* max # of packets cached in unresolved ND entries */ +int nd6_maxnudhint; +int nd6_maxqueuelen; -#ifdef ND6_DEBUG -int nd6_debug = 1; -#else -int nd6_debug = 0; -#endif +int nd6_debug; /* for debugging? */ static int nd6_inuse, nd6_allocated; +struct llinfo_nd6 llinfo_nd6; -struct llinfo_nd6 llinfo_nd6 = {&llinfo_nd6, &llinfo_nd6}; struct nd_drhead nd_defrouter; -struct nd_prhead nd_prefix = { 0 }; +struct nd_prhead nd_prefix; + +int nd6_recalc_reachtm_interval; +#endif /* VIMAGE_GLOBALS */ -int nd6_recalc_reachtm_interval = ND6_RECALC_REACHTM_INTERVAL; static struct sockaddr_in6 all1_sa; static int nd6_is_new_addr_neighbor __P((struct sockaddr_in6 *, @@ -118,9 +116,13 @@ static struct llinfo_nd6 *nd6_free(struct rtentry *, int); static void nd6_llinfo_timer(void *); static void clear_llinfo_pqueue(struct llinfo_nd6 *); +#ifdef VIMAGE_GLOBALS struct callout nd6_slowtimo_ch; struct callout nd6_timer_ch; extern struct callout in6_tmpaddrtimer_ch; +extern int dad_ignore_ns; +extern int dad_maxtry; +#endif void nd6_init(void) @@ -134,6 +136,39 @@ nd6_init(void) return; } + V_nd6_prune = 1; /* walk list every 1 seconds */ + V_nd6_delay = 5; /* delay first probe time 5 second */ + V_nd6_umaxtries = 3; /* maximum unicast query */ + V_nd6_mmaxtries = 3; /* maximum multicast query */ + V_nd6_useloopback = 1; /* use loopback interface for local traffic */ + V_nd6_gctimer = (60 * 60 * 24); /* 1 day: garbage collection timer */ + + /* preventing too many loops in ND option parsing */ + V_nd6_maxndopt = 10; /* max # of ND options allowed */ + + V_nd6_maxnudhint = 0; /* max # of subsequent upper layer hints */ + V_nd6_maxqueuelen = 1; /* max pkts cached in unresolved ND entries */ + +#ifdef ND6_DEBUG + V_nd6_debug = 1; +#else + V_nd6_debug = 0; +#endif + + V_nd6_recalc_reachtm_interval = ND6_RECALC_REACHTM_INTERVAL; + + V_dad_ignore_ns = 0; /* ignore NS in DAD - specwise incorrect*/ + V_dad_maxtry = 15; /* max # of *tries* to transmit DAD packet */ + + V_llinfo_nd6.ln_next = &V_llinfo_nd6; + V_llinfo_nd6.ln_prev = &V_llinfo_nd6; + LIST_INIT(&V_nd_prefix); + + ip6_use_tempaddr = 0; + ip6_temp_preferred_lifetime = DEF_TEMP_PREFERRED_LIFETIME; + ip6_temp_valid_lifetime = DEF_TEMP_VALID_LIFETIME; + ip6_temp_regen_advance = TEMPADDR_REGEN_ADVANCE; + all1_sa.sin6_family = AF_INET6; all1_sa.sin6_len = sizeof(struct sockaddr_in6); for (i = 0; i < sizeof(all1_sa.sin6_addr); i++) diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c index f87a7a82..9d04c1b 100644 --- a/sys/netinet6/nd6_nbr.c +++ b/sys/netinet6/nd6_nbr.c @@ -86,8 +86,10 @@ static void nd6_dad_ns_output(struct dadq *, struct ifaddr *); static void nd6_dad_ns_input(struct ifaddr *); static void nd6_dad_na_input(struct ifaddr *); -static int dad_ignore_ns = 0; /* ignore NS in DAD - specwise incorrect*/ -static int dad_maxtry = 15; /* max # of *tries* to transmit DAD packet */ +#ifdef VIMAGE_GLOBALS +int dad_ignore_ns; +int dad_maxtry; +#endif /* * Input a Neighbor Solicitation Message. @@ -1096,8 +1098,10 @@ struct dadq { struct callout dad_timer_ch; }; +#ifdef VIMAGE_GLOBALS static struct dadq_head dadq; -static int dad_init = 0; +int dad_init; +#endif static struct dadq * nd6_dad_find(struct ifaddr *ifa) diff --git a/sys/netinet6/nd6_rtr.c b/sys/netinet6/nd6_rtr.c index a1f891b..31f06a7 100644 --- a/sys/netinet6/nd6_rtr.c +++ b/sys/netinet6/nd6_rtr.c @@ -87,20 +87,16 @@ static int rt6_deleteroute(struct radix_node *, void *); extern int nd6_recalc_reachtm_interval; +#ifdef VIMAGE_GLOBALS static struct ifnet *nd6_defifp; int nd6_defifindex; -int ip6_use_tempaddr = 0; - +int ip6_use_tempaddr; int ip6_desync_factor; -u_int32_t ip6_temp_preferred_lifetime = DEF_TEMP_PREFERRED_LIFETIME; -u_int32_t ip6_temp_valid_lifetime = DEF_TEMP_VALID_LIFETIME; -/* - * shorter lifetimes for debugging purposes. -int ip6_temp_preferred_lifetime = 800; -static int ip6_temp_valid_lifetime = 1800; -*/ -int ip6_temp_regen_advance = TEMPADDR_REGEN_ADVANCE; +u_int32_t ip6_temp_preferred_lifetime; +u_int32_t ip6_temp_valid_lifetime; +int ip6_temp_regen_advance; +#endif /* RTPREF_MEDIUM has to be 0! */ #define RTPREF_HIGH 1 diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index d365ec4..ece033e 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -117,7 +117,9 @@ extern struct inpcbinfo ripcbinfo; extern u_long rip_sendspace; extern u_long rip_recvspace; +#ifdef VIMAGE_GLOBALS struct rip6stat rip6stat; +#endif /* * Hooks for multicast forwarding. diff --git a/sys/netinet6/scope6.c b/sys/netinet6/scope6.c index 4c6b860..4bb84d9 100644 --- a/sys/netinet6/scope6.c +++ b/sys/netinet6/scope6.c @@ -50,11 +50,6 @@ __FBSDID("$FreeBSD$"); #include <netinet6/in6_var.h> #include <netinet6/scope6_var.h> -#ifdef ENABLE_DEFAULT_SCOPE -int ip6_use_defzone = 1; -#else -int ip6_use_defzone = 0; -#endif /* * The scope6_lock protects the global sid default stored in @@ -66,7 +61,11 @@ static struct mtx scope6_lock; #define SCOPE6_UNLOCK() mtx_unlock(&scope6_lock) #define SCOPE6_LOCK_ASSERT() mtx_assert(&scope6_lock, MA_OWNED) +#ifdef VIMAGE_GLOBALS static struct scope6_id sid_default; +int ip6_use_defzone; +#endif + #define SID(ifp) \ (((struct in6_ifextra *)(ifp)->if_afdata[AF_INET6])->scope6_id) @@ -75,6 +74,11 @@ scope6_init(void) { INIT_VNET_INET6(curvnet); +#ifdef ENABLE_DEFAULT_SCOPE + V_ip6_use_defzone = 1; +#else + V_ip6_use_defzone = 0; +#endif SCOPE6_LOCK_INIT(); bzero(&V_sid_default, sizeof(V_sid_default)); } diff --git a/sys/netinet6/vinet6.h b/sys/netinet6/vinet6.h index 992e6e7..5c5455c 100644 --- a/sys/netinet6/vinet6.h +++ b/sys/netinet6/vinet6.h @@ -108,6 +108,7 @@ struct vnet_inet6 { int _ip6_keepfaith; int _ip6stealth; time_t _ip6_log_time; + int _nd6_onlink_ns_rfc4861; int _pmtu_expire; int _pmtu_probe; @@ -232,6 +233,7 @@ struct vnet_inet6 { #define V_nd6_maxnudhint VNET_INET6(nd6_maxnudhint) #define V_nd6_maxqueuelen VNET_INET6(nd6_maxqueuelen) #define V_nd6_mmaxtries VNET_INET6(nd6_mmaxtries) +#define V_nd6_onlink_ns_rfc4861 VNET_INET6(nd6_onlink_ns_rfc4861) #define V_nd6_prune VNET_INET6(nd6_prune) #define V_nd6_recalc_reachtm_interval VNET_INET6(nd6_recalc_reachtm_interval) #define V_nd6_slowtimo_ch VNET_INET6(nd6_slowtimo_ch) diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index b752a67..a686f43 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -97,23 +97,19 @@ #include <opencrypto/cryptodev.h> -#ifdef IPSEC_DEBUG -int ipsec_debug = 1; -#else -int ipsec_debug = 0; -#endif - +#ifdef VIMAGE_GLOBALS /* NB: name changed so netstat doesn't use it */ struct ipsecstat ipsec4stat; -int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ -int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ -int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; -int ip4_esp_net_deflev = IPSEC_LEVEL_USE; -int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; -int ip4_ah_net_deflev = IPSEC_LEVEL_USE; struct secpolicy ip4_def_policy; -int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ -int ip4_esp_randpad = -1; +int ipsec_debug; +int ip4_ah_offsetmask; +int ip4_ipsec_dfbit; +int ip4_esp_trans_deflev; +int ip4_esp_net_deflev; +int ip4_ah_trans_deflev; +int ip4_ah_net_deflev; +int ip4_ipsec_ecn; +int ip4_esp_randpad; /* * Crypto support requirements: * @@ -121,7 +117,8 @@ int ip4_esp_randpad = -1; * -1 require software support * 0 take anything */ -int crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; +int crypto_support; +#endif /* VIMAGE_GLOBALS */ SYSCTL_DECL(_net_inet_ipsec); @@ -164,29 +161,33 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, "IPsec IPv4 statistics."); #ifdef REGRESSION +#ifdef VIMAGE_GLOBALS +int ipsec_replay; +int ipsec_integrity; +#endif /* * When set to 1, IPsec will send packets with the same sequence number. * This allows to verify if the other side has proper replay attacks detection. */ -int ipsec_replay = 0; SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack"); /* * When set 1, IPsec will send packets with corrupted HMAC. * This allows to verify if the other side properly detects modified packets. */ -int ipsec_integrity = 0; SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack"); #endif #ifdef INET6 +#ifdef VIMAGE_GLOBALS struct ipsecstat ipsec6stat; -int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; -int ip6_esp_net_deflev = IPSEC_LEVEL_USE; -int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; -int ip6_ah_net_deflev = IPSEC_LEVEL_USE; -int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +int ip6_esp_trans_deflev; +int ip6_esp_net_deflev; +int ip6_ah_trans_deflev; +int ip6_ah_net_deflev; +int ip6_ipsec_ecn; +#endif SYSCTL_DECL(_net_inet6_ipsec6); @@ -242,6 +243,40 @@ static size_t ipsec_hdrsiz __P((struct secpolicy *)); MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); +void +ipsec_init(void) +{ + INIT_VNET_IPSEC(curvnet); + +#ifdef IPSEC_DEBUG + V_ipsec_debug = 1; +#else + V_ipsec_debug = 0; +#endif + + V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */ + V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ + V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE; + V_ip4_esp_net_deflev = IPSEC_LEVEL_USE; + V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE; + V_ip4_ah_net_deflev = IPSEC_LEVEL_USE; + V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ + V_ip4_esp_randpad = -1; + + V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; + +#ifdef REGRESSION + V_ipsec_replay = 0; + V_ipsec_integrity = 0; +#endif + + V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE; + V_ip6_esp_net_deflev = IPSEC_LEVEL_USE; + V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE; + V_ip6_ah_net_deflev = IPSEC_LEVEL_USE; + V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +} + /* * Return a held reference to the default SP. */ diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index f6346f8..3bc6bc9 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -359,6 +359,7 @@ extern struct ipsecrequest *ipsec_newisr(void); extern void ipsec_delisr(struct ipsecrequest *); struct tdb_ident; +extern void ipsec_init(void); extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int)); struct inpcb; extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int, diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index c3cba60..db79f59 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -113,20 +113,31 @@ * field hits 0 (= no external reference other than from SA header. */ -u_int32_t key_debug_level = 0; -static u_int key_spi_trycnt = 1000; -static u_int32_t key_spi_minval = 0x100; -static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */ -static u_int32_t policy_id = 0; -static u_int key_int_random = 60; /*interval to initialize randseed,1(m)*/ -static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ -static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ -static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ -static int key_preferred_oldsa = 1; /* preferred old sa rather than new sa.*/ - -static u_int32_t acq_seq = 0; +#ifdef VIMAGE_GLOBALS +u_int32_t key_debug_level; +static u_int key_spi_trycnt; +static u_int32_t key_spi_minval; +static u_int32_t key_spi_maxval; +static u_int32_t policy_id; +static u_int key_int_random; +static u_int key_larval_lifetime; +static int key_blockacq_count; +static int key_blockacq_lifetime; +static int key_preferred_oldsa; + +static u_int32_t acq_seq; + +static int ipsec_esp_keymin; +static int ipsec_esp_auth; +static int ipsec_ah_keymin; static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX]; /* SPD */ +static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */ +static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1]; +static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */ +static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ +#endif /* VIMAGE_GLOBALS */ + static struct mtx sptree_lock; #define SPTREE_LOCK_INIT() \ mtx_init(&sptree_lock, "sptree", \ @@ -136,7 +147,6 @@ static struct mtx sptree_lock; #define SPTREE_UNLOCK() mtx_unlock(&sptree_lock) #define SPTREE_LOCK_ASSERT() mtx_assert(&sptree_lock, MA_OWNED) -static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */ static struct mtx sahtree_lock; #define SAHTREE_LOCK_INIT() \ mtx_init(&sahtree_lock, "sahtree", \ @@ -147,7 +157,6 @@ static struct mtx sahtree_lock; #define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED) /* registed list */ -static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1]; static struct mtx regtree_lock; #define REGTREE_LOCK_INIT() \ mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF) @@ -156,7 +165,6 @@ static struct mtx regtree_lock; #define REGTREE_UNLOCK() mtx_unlock(®tree_lock) #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED) -static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */ static struct mtx acq_lock; #define ACQ_LOCK_INIT() \ mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF) @@ -165,7 +173,6 @@ static struct mtx acq_lock; #define ACQ_UNLOCK() mtx_unlock(&acq_lock) #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) -static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ static struct mtx spacq_lock; #define SPACQ_LOCK_INIT() \ mtx_init(&spacq_lock, "spacqtree", \ @@ -236,10 +243,6 @@ static const int maxsize[] = { sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ }; -static int ipsec_esp_keymin = 256; -static int ipsec_esp_auth = 0; -static int ipsec_ah_keymin = 128; - #ifdef SYSCTL_DECL SYSCTL_DECL(_net_key); #endif @@ -7184,6 +7187,23 @@ key_init(void) INIT_VNET_IPSEC(curvnet); int i; + V_key_debug_level = 0; + V_key_spi_trycnt = 1000; + V_key_spi_minval = 0x100; + V_key_spi_maxval = 0x0fffffff; /* XXX */ + V_policy_id = 0; + V_key_int_random = 60; /*interval to initialize randseed,1(m)*/ + V_key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ + V_key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ + V_key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ + V_key_preferred_oldsa = 1; /* preferred old sa rather than new sa*/ + + V_acq_seq = 0; + + V_ipsec_esp_keymin = 256; + V_ipsec_esp_auth = 0; + V_ipsec_ah_keymin = 128; + SPTREE_LOCK_INIT(); REGTREE_LOCK_INIT(); SAHTREE_LOCK_INIT(); diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c index 882aed4..6d5c4bc 100644 --- a/sys/netipsec/keysock.c +++ b/sys/netipsec/keysock.c @@ -70,14 +70,16 @@ struct key_cb { int key_count; int any_count; }; + +#ifdef VIMAGE_GLOBALS static struct key_cb key_cb; +struct pfkeystat pfkeystat; +#endif static struct sockaddr key_src = { 2, PF_KEY, }; static int key_sendup0 __P((struct rawcb *, struct mbuf *, int)); -struct pfkeystat pfkeystat; - /* * key_output() */ @@ -570,7 +572,9 @@ static void key_init0(void) { INIT_VNET_IPSEC(curvnet); + bzero((caddr_t)&V_key_cb, sizeof(V_key_cb)); + ipsec_init(); key_init(); } diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index c5b3697..3a4c7dc 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -88,9 +88,11 @@ #define AUTHSIZE(sav) \ ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) -int ah_enable = 1; /* control flow of packets with AH */ -int ah_cleartos = 1; /* clear ip_tos when doing AH calc */ +#ifdef VIMAGE_GLOBALS +int ah_enable; +int ah_cleartos; struct ahstat ahstat; +#endif SYSCTL_DECL(_net_inet_ah); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, @@ -1217,6 +1219,10 @@ static struct xformsw ah_xformsw = { static void ah_attach(void) { + + V_ah_enable = 1; /* control flow of packets with AH */ + V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ + xform_register(&ah_xformsw); } SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 21cc82f..98a2240 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -76,8 +76,11 @@ #include <opencrypto/cryptodev.h> #include <opencrypto/xform.h> -int esp_enable = 1; +#ifdef VIMAGE_GLOBALS struct espstat espstat; +static int esp_max_ivlen; /* max iv length over all algorithms */ +int esp_enable; +#endif SYSCTL_DECL(_net_inet_esp); SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO, @@ -85,8 +88,6 @@ SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO, SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS, stats, CTLFLAG_RD, espstat, espstat, ""); -static int esp_max_ivlen; /* max iv length over all algorithms */ - static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); @@ -993,7 +994,9 @@ esp_attach(void) if (xform.blocksize > V_esp_max_ivlen) \ V_esp_max_ivlen = xform.blocksize \ + V_esp_enable = 1; V_esp_max_ivlen = 0; + MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */ MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */ MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */ diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 3492924..d64abf0f 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -67,8 +67,10 @@ #include <opencrypto/deflate.h> #include <opencrypto/xform.h> -int ipcomp_enable = 0; +#ifdef VIMAGE_GLOBALS +int ipcomp_enable; struct ipcompstat ipcompstat; +#endif SYSCTL_DECL(_net_inet_ipcomp); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO, @@ -597,6 +599,8 @@ static struct xformsw ipcomp_xformsw = { static void ipcomp_attach(void) { + + V_ipcomp_enable = 0; xform_register(&ipcomp_xformsw); } SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL); diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 568d42e..610f984 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -91,8 +91,10 @@ * We can control the acceptance of IP4 packets by altering the sysctl * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. */ -int ipip_allow = 0; +#ifdef VIMAGE_GLOBALS +int ipip_allow; struct ipipstat ipipstat; +#endif SYSCTL_DECL(_net_inet_ipip); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO, @@ -694,6 +696,9 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg) static void ipe4_attach(void) { + + V_ipip_allow = 0; + xform_register(&ipe4_xformsw); /* attach to encapsulation framework */ /* XXX save return cookie for detach on module remove */ diff --git a/sys/sys/vimage.h b/sys/sys/vimage.h index 7f87142..9124004 100644 --- a/sys/sys/vimage.h +++ b/sys/sys/vimage.h @@ -33,6 +33,8 @@ #ifndef _SYS_VIMAGE_H_ #define _SYS_VIMAGE_H_ +#define VIMAGE_GLOBALS 1 + /* Non-VIMAGE null-macros */ #define CURVNET_SET(arg) #define CURVNET_SET_QUIET(arg) |
