| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
(cherry picked from commit 4ff0e4a77646d70078e5be332359df4967d187f2)
|
|
|
|
|
|
| |
Reported by: garga
(cherry picked from commit 4fbc95c7ac1751266543e1c17e547fc8daec2981)
|
|
|
|
| |
(cherry picked from commit cc274278302a81add472ccf3344e8ec09a44f737)
|
|
|
|
| |
(cherry picked from commit dc59fff1188c9c81632773b3ddf0ba6e0ee843e3)
|
|
|
|
| |
(cherry picked from commit f12a05b2e54dc5fd9af1b44316516af0a1e2a1c8)
|
|
|
|
|
|
| |
The mixed tables are used to match against the IP[4|6] and the MAC address of the peer.
(cherry picked from commit edfbe4e11e3f835451d36dfb533e0785f4437497)
|
|
|
|
|
| |
(cherry picked from commit 4047fc02a0b5ab01eba376d1ffdb74e4958efcae)
(cherry picked from commit 2390e891a5d3f2d2647d0008cf57c45a5c30f32b)
|
|
|
|
|
|
|
| |
The actual script will be in the pfSense repo under tools/installer
(cherry picked from commit 3413d68503fa5016f5f26a428109398ffab0372e)
(cherry picked from commit c9f41f00a675b5cdf7a2864a403cb2376837ace8)
|
|
|
|
|
|
|
|
|
|
|
|
| |
pf: Fix leak of pf_state_keys
If we hit the state limit we returned from pf_create_state() without cleaning
up.
PR: 217997
Submitted by: Max <maximos@als.nnov.ru>
(cherry picked from commit 649e7ba54470144c01ab6995ee6bd45d9a62bdde)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pf: use inet_ntoa_r() instead of inet_ntoa(); maybe fix IPv6 OS fingerprinting
inet_ntoa() cannot be used safely in a multithreaded environment
because it uses a static local buffer. Instead, use inet_ntoa_r()
with a buffer on the caller's stack.
This code had an INET6 conditional before this commit, but opt_inet6.h
was not included, so INET6 was never defined. Apparently, pf's OS
fingerprinting hasn't worked with IPv6 for quite some time.
This commit might fix it, but I didn't test that.
Relnotes: yes (if I/someone can test pf OS fingerprinting with IPv6)
Sponsored by: Dell EMC
(cherry picked from commit b7b8fbe03255a1a3b3ca664044f99a4b1d9e0587)
|
|
|
|
|
|
|
|
| |
Fix ti_gpio_detach() to avoid crashing if something goes wrong.
Sponsored by: Rubicon Communication, LLC (Netgate)
(cherry picked from commit ddbb1e5b9738fa9c1eb44463805c8bcf36221a81)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid use of contiguous memory allocations in busdma when possible.
This patch improves the boundary checks in busdma to allow more cases
using the regular page based kernel memory allocator. Especially in
the case of having a non-zero boundary in the parent DMA tag. For
example AMD64 based platforms set the PCI DMA tag boundary to
PCI_DMA_BOUNDARY, 4GB, which before this patch caused contiguous
memory allocations to be preferred when allocating more than PAGE_SIZE
bytes. Even if the required alignment was less than PAGE_SIZE bytes.
This patch also fixes the nsegments check for using kmem_alloc_attr()
when the maximum segment size is less than PAGE_SIZE bytes.
Updated some comments describing the code in question.
Differential Revision: https://reviews.freebsd.org/D10645
Reviewed by: kib, jhb, gallatin, scottl
Sponsored by: Mellanox Technologies
(cherry picked from commit 6181e9a69342927c6b1d10bc6a0aff8386ac9e38)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The arm kernel linker scripts place the .init_pagetable section in .bss,
but .init_pagetable had no section flags set, and so did not match the
expected flags for .bss.
GNU ld silently ignores this case, but lld reports an error:
ld: error: incompatible section flags for .bss
>>> locore.o:(.init_pagetable): 0x0
>>> output section .bss: 0x3
PR: 220055
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 59f2914bf48137dbeb3227ff659c9aca14bc8c63)
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the L2 address printed in the "arp: %s moved from %*D" message.
In the r292978 struct llentry was changed and the ll_addr field become
the pointer.
PR: 217667
(cherry picked from commit a007a2a0b4c1a718147bbbbf8943cbb12adaaf95)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MFC r315956
ip_forward, TCP/IPv6, and probably SCTP leaked references to L2 cache
entry because they used their own routes on the stack, not in_pcb routes.
The original model for route caching was callers that provided a route
structure to ip{,6}input() would keep the route, and this model was used
for L2 caching as well. Instead, change L2 caching to be done by default
only when using a route structure in the in_pcb; the pcb deallocation
code frees L2 as well as L3 cacches. A separate change will add route
caching to TCP/IPv6.
Another suggestion was to have the transport protocols indicate willingness
to use L2 caching, but this approach keeps the changes in the network
level
Reviewed by: ae gnn
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D10059
(cherry picked from commit 0b219504060b9ed97df36d0816488603c7305d64)
|
|
|
|
| |
(cherry picked from commit 8ba72301d3a6a7edd139cd136289543ee02c5ca4)
|
|
|
|
|
|
| |
function rename.
(cherry picked from commit 2d8da6a834cc0fd44f1f98a7a5c5b9aabc48829c)
|
|
|
|
|
|
|
|
|
|
|
| |
entries with a new ipfw table command to zero the counters.
Each table type implementation needs to be modified to add the support
to this feature and the FIB backend is the only one that was not
modified (because the backend does not have any local storage).
(cherry picked from commit 3b06c382c8a2e04b7a64291bfb6b0ca0e5dd8dca)
(cherry picked from commit b969fab78206744b1d323f47828125389299e450)
|
|
|
|
|
|
|
|
|
|
| |
Fix IPv6 extension header parsing. The length field doesn't include
the first 8 octets.
Obtained from: Yandex LLC
Approved by: re (marius)
(cherry picked from commit 1b1001711cd25830b9dcd1ab518fa6bf0b7a3f11)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the queue delay estimation in PIE/FQ-PIE when the timestamp
(TS) method is used. When packet timestamp is used, the "current_qdelay"
keeps storing the last queue delay value calculated in the dequeue
function. Therefore, when a burst of packets arrives followed by
a pause, the "current_qdelay" will store a high value caused by the
burst and stick to that value during the pause because the queue
delay measurement is done inside the dequeue function. This causes
the drop probability calculation function to calculate high drop
probability value instead of zero and prevents the burst allowance
mechanism from working properly. Fix this problem by resetting
"current_qdelay" inside the drop probability calculation function
when the queue length is zero and TS option is used.
Submitted by: Rasool Al-Saadi <ralsaadi@swin.edu.au>
(cherry picked from commit 7a13da8481a35110d3d84b66b31cd02ed4d9908c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The result of right shifting a negative signed value is implementation
defined. On machines without arithmetic shift instructions, zero bits
may be shifted in from the left, giving a large positive result instead
of the desired divide-by power-of-2. Fix this by operating on the
absolute value and compensating for the possible negation later.
Reverse the order of the underflow/overflow tests and the exponential
decay calculation to avoid the possibility of an erroneous overflow
detection if p is a sufficiently small non-negative value. Also
check for negative values of prob before doing the exponential decay
to avoid another instance of of right shifting a negative value.
Tested by: Rasool Al-Saadi <ralsaadi@swin.edu.au>
(cherry picked from commit 61ad262512e302f69f713f8f13a6fff42dd917c7)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In dummynet(4), random chunks of memory are casted to struct dn_*,
potentially leading to fatal unaligned accesses on architectures with
strict alignment requirements. This change fixes dummynet(4) as far
as accesses to 64-bit members of struct dn_* are concerned, tripping
up on sparc64 with accesses to 32-bit members happening to be correctly
aligned there. In other words, this only fixes the tip of the iceberg;
larger parts of dummynet(4) still need to be rewritten in order to
properly work on all of !x86.
In principle, considering the amount of code in dummynet(4) that needs
this erroneous pattern corrected, an acceptable workaround would be to
declare all struct dn_* packed, forcing compilers to do byte-accesses
as a side-effect. However, given that the structs in question aren't
laid out well either, this would break ABI/KBI.
While at it, replace all existing bcopy(9) calls with memcpy(9) for
performance reasons, as there is no need to check for overlap in these
cases.
PR: 189219
(cherry picked from commit 1477d32c8175c9dd8b564ec8b3057c8b7be41bac)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dummynet: Use strlcpy to appease static checkers
Some dummynet modules used strcpy() to copy from a larger buffer
(dn_aqm->name) to a smaller buffer (dn_extra_parms->name). It happens that
the lengths of the strings in the dn_aqm buffers were always hardcoded to be
smaller than the dn_extra_parms buffer ("CODEL", "PIE").
Use strlcpy() instead, to appease static checkers. No functional change.
Reported by: Coverity
CIDs: 1356163, 1356165
Sponsored by: Dell EMC Isilon
(cherry picked from commit b5cebfa8d51591353618c9e05272f84af512540d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The rule field in the ipfw_dyn_rule structure is used as storage
to pass rule number and rule set to userland. In r272840 the kernel
internal rule representation was changed and the rulenum field of
struct ip_fw_rule got the type uint32_t, but userlevel representation
still have the type uint16_t. To not overflow the size of pointer
on the systems with 32-bit pointer size use separate variable to
copy rulenum and set.
Reported by: PVS-Studio
(cherry picked from commit 43beaf2023388490ce9f05cd909715fc29f35ed5)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add ipfw_pmod kernel module.
The module is designed for modification of a packets of any protocols.
For now it implements only TCP MSS modification. It adds the external
action handler for "tcp-setmss" action.
A rule with tcp-setmss action does additional check for protocol and
TCP flags. If SYN flag is present, it parses TCP options and modifies
MSS option if its value is greater than configured value in the rule.
Then it adjustes TCP checksum if needed. After handling the search
continues with the next rule.
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D10150
(cherry picked from commit fed97f3094ee0c71bc2ae864dce888257108122c)
|
|
|
|
|
|
|
|
|
| |
Add the log formatting for an external action opcode.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
(cherry picked from commit 93c66f329a5c7a8161ceef873184cc5c7b69431c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add O_EXTERNAL_DATA opcode support.
This opcode can be used to attach some data to external action opcode.
And unlike to O_EXTERNAL_INSTANCE opcode, this opcode does not require
creating of named instance to pass configuration arguments to external
action handler. The data is coming just next to O_EXTERNAL_ACTION opcode.
The userlevel part currenly supports formatting for opcode with ipfw_insn
size, by default it expects u16 numeric value in the arg1.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
(cherry picked from commit 7a6d766f1284a41887dd6302256d4bb01df92e5c)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove "IPFW static rules" rmlock.
Make PFIL's lock global and use it for this purpose.
This reduces the number of locks needed to acquire for each packet.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D10154
(cherry picked from commit 9a21c53ccadbd5db7c683c6b68fb0d8c63b02c5f)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reset the cached state of last lookup in the dynamic states when an
external action is completed, but the rule search is continued.
External action handler can change the content of @args argument,
that is used for dynamic state lookup. Enforce the new lookup to be able
install new state, when the search is continued.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
(cherry picked from commit 7317fc9c0522c902a4a0a67b17c5c5d25d04bff9)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move logging via BPF support into separate file.
* make interface cloner VNET-aware;
* simplify cloner code and use if_clone_simple();
* migrate LOGIF_LOCK() to rmlock;
* add ipfw_bpf_mtap2() function to pass mbuf to BPF;
* introduce new additional ipfwlog0 pseudo interface. It differs from
ipfw0 by DLT type used in bpfattach. This interface is intended to
used by ipfw modules to dump packets with additional info attached.
Currently pflog format is used. ipfw_bpf_mtap2() function uses second
argument to determine which interface use for dumping. If dlen is equal
to ETHER_HDR_LEN it uses old ipfw0 interface, if dlen is equal to
PFLOG_HDRLEN - ipfwlog0 will be used.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
MFC r304043:
Add three helper function to manage tables from external modules.
ipfw_objhash_lookup_table_kidx does lookup kernel index of table;
ipfw_ref_table/ipfw_unref_table takes and releases reference to table.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
MFC r304046, 304108:
Add ipfw_nat64 module that implements stateless and stateful NAT64.
The module works together with ipfw(4) and implemented as its external
action module.
Stateless NAT64 registers external action with name nat64stl. This
keyword should be used to create NAT64 instance and to address this
instance in rules. Stateless NAT64 uses two lookup tables with mapped
IPv4->IPv6 and IPv6->IPv4 addresses to perform translation.
A configuration of instance should looks like this:
1. Create lookup tables:
# ipfw table T46 create type addr valtype ipv6
# ipfw table T64 create type addr valtype ipv4
2. Fill T46 and T64 tables.
3. Add rule to allow neighbor solicitation and advertisement:
# ipfw add allow icmp6 from any to any icmp6types 135,136
4. Create NAT64 instance:
# ipfw nat64stl NAT create table4 T46 table6 T64
5. Add rules that matches the traffic:
# ipfw add nat64stl NAT ip from any to table(T46)
# ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96
6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
via NAT64 host.
Stateful NAT64 registers external action with name nat64lsn. The only
one option required to create nat64lsn instance - prefix4. It defines
the pool of IPv4 addresses used for translation.
A configuration of instance should looks like this:
1. Add rule to allow neighbor solicitation and advertisement:
# ipfw add allow icmp6 from any to any icmp6types 135,136
2. Create NAT64 instance:
# ipfw nat64lsn NAT create prefix4 A.B.C.D/28
3. Add rules that matches the traffic:
# ipfw add nat64lsn NAT ip from any to A.B.C.D/28
# ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96
4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
via NAT64 host.
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6434
MFC r304048:
Replace __noinline with special debug macro NAT64NOINLINE.
MFC r304061:
Use %ju to print unsigned 64-bit value.
MFC r304076:
Make statistics nat64lsn, nat64stl an nptv6 output netstat-like:
"@value @description" and fix build due to -Wformat errors.
MFC r304378 (by bz):
Try to fix gcc compilation errors (which are right).
nat64_getlasthdr() returns an int, which can be -1 in case of error,
storing the result in an uint8_t and then comparing to < 0 is not
helpful. Do what is done in the rest of the code and make proto an
int here as well.
MFC r309187:
Fix ICMPv6 Time Exceeded error message translation.
MFC r314718:
Use new ipfw_lookup_table() in the nat64 too.
MFC r315204,315233:
Use memset with structure size.
(cherry picked from commit 1f5f6e71571eeaab683b65e91887222f4a6ece97)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6
as defined in RFC 6296. The module works together with ipfw(4) and
implemented as its external action module. When it is loaded, it registers
as eaction and can be used in rules. The usage pattern is similar to
ipfw_nat(4). All matched by rule traffic goes to the NPT module.
Reviewed by: hrs
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6420
MFC r304049:
Add `stats reset` command implementation to NPTv6 module
to be able reset statistics counters.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
MFC r304076:
Make statistics nat64lsn, nat64stl an nptv6 output netstat-like:
"@value @description" and fix build due to -Wformat errors.
MFC r314507:
Fix NPTv6 rule counters when one_pass is not enabled.
Consider the rule matching when both @done and @retval values
returned from ipfw_run_eaction() are zero. And modify ipfw_nptv6()
to return IP_FW_DENY and @done=0 when addresses do not match.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
(cherry picked from commit f2b9d4d15428a360ba4692447f87aa3b7c7b4d83)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change several constants used by the PIE algorithm from unsigned to signed.
- PIE_MAX_PROB is compared to variable of int64_t and the type promotion
rules can cause the value of that variable to be treated as unsigned.
If the value is actually negative, then the result of the comparsion
is incorrect, causing the algorithm to perform poorly in some
situations. Changing the constant to be signed cause the comparision
to work correctly.
- PIE_SCALE is also compared to signed values. Fortunately they are
also compared to zero and negative values are discarded so this is
more of a cosmetic fix.
- PIE_DQ_THRESHOLD is only compared to unsigned values, but it is small
enough that the automatic promotion to unsigned is harmless.
Submitted by: Rasool Al-Saadi <ralsaadi@swin.edu.au>
(cherry picked from commit 2f199c035fbd9665f88076f9676e6b81d16376ef)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add named dynamic states support to ipfw(4).
The keep-state, limit and check-state now will have additional argument
flowname. This flowname will be assigned to dynamic rule by keep-state
or limit opcode. And then can be matched by check-state opcode or
O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize
compatibility with old rulesets default flowname introduced.
It will be assigned to the rules when user has omitted state name in
keep-state and check-state opcodes. Also if name is ambiguous (can be
evaluated as rule opcode) it will be replaced to default.
Reviewed by: julian
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6674
MFC r304087:
Do not warn about ambiguous state name when we inspect a comment token.
MFC r304089:
Add an ability to attach comment to check-state rules.
MFC r310727 (by marius):
Fix a bug in r272840; given that the optlen parameter of setsockopt(2)
is a 32-bit socklen_t, do_get3() passes the kernel to access the wrong
32-bit half on big-endian LP64 machines when simply casting the 64-bit
size_t optlen to a socklen_t pointer.
While at it and given that the intention of do_get3() apparently is to
hide/wrap the fact that socket options are used for communication with
ipfw(4), change the optlen parameter of do_set3() to be of type size_t
and as such more appropriate than uintptr_t, too.
MFC r315305:
Change the syntax of ipfw's named states.
Since the state name is an optional argument, it often can conflict
with other options. To avoid ambiguity now the state name must be
prefixed with a colon.
Sponsored by: Yandex LLC
(cherry picked from commit ab3e7e42d2f4196cc40513ff5d86b05bb15355e8)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add IPv6 support to O_IP_DST_LOOKUP opcode.
o check the size of O_IP_SRC_LOOKUP opcode, it can not exceed the size of
ipfw_insn_u32;
o rename ipfw_lookup_table_extended() function into ipfw_lookup_table() and
remove old ipfw_lookup_table();
o use args->f_id.flow_id6 that is in host byte order to get DSCP value;
o add SCTP ports support to 'lookup src/dst-port' opcode;
o add IPv6 support to 'lookup src/dst-ip' opcode.
PR: 217292
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D9873
(cherry picked from commit d05930372b11a5433026bb7e67fde41321a29dac)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use inet_ntoa_r() instead of inet_ntoa() throughout the kernel.
inet_ntoa() cannot be used safely in a multithreaded environment
because it uses a static local buffer. Instead, use inet_ntoa_r()
with a buffer on the caller's stack, except for KTR messages.
KTR can correctly log the immediate integral values passed to it,
as well as constant strings, but not non-constant strings,
since they might change by the time ktrdump retrieves them.
Therefore, use hex notation in KTR messages.
Sponsored by: Dell EMC
(cherry picked from commit 5ebfb876ead3dd5491730d0a543aba065d39d55d)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reject invalid object types that can not be used with specific opcodes.
When we doing reference counting of named objects in the new rule,
for existing objects check that opcode references to correct object,
otherwise return EINVAL.
PR: 217391
(cherry picked from commit ef822e4aa0e77e166bb8d6d106ebe590df25ff58)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix matching table entry value. Use real table value instead of its index
in valuestate array.
When opcode has size equal to ipfw_insn_u32, this means that it should
additionally match value specified in d[0] with table entry value.
ipfw_table_lookup() returns table value index, use TARG_VAL() macro to
convert it to its value. The actual 32-bit value stored in the tag field
of table_value structure, where all unspecified u32 values are kept.
PR: 217262
(cherry picked from commit 2a62e338590335911213425c6312fb6680dc4f08)
|
|
|
|
|
|
| |
Fix typos in comments (returing -> returning)
(cherry picked from commit cb8faf3e7df1e81f95dc5e59c89c5ad19f6154c2)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initialize IPFW static rules rmlock with RM_RECURSE flag.
This lock was replaced from rwlock in r272840. But unlike rwlock, rmlock
doesn't allow recursion on rm_rlock(), so at this time fix this with
RM_RECURSE flag. Later we need to change ipfw to avoid such recursions.
PR: 216171
(cherry picked from commit 1e8f10faa2cf849d9ec5295daecbff4c9f081147)
|
|
|
|
|
|
|
|
|
|
| |
Convert result of hash_packet6() into host byte order.
For IPv4 similar function uses addresses and ports in host byte order,
but for IPv6 it used network byte order. This led to very bad hash
distribution for IPv6 flows. Now the result looks similar to IPv4.
(cherry picked from commit 0a0bda82615be0207814d7a2c02873ec5ecedce8)
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the mbuf tag after use (for reinjected packets).
Fixes the packet processing in dummynet l2 rules.
Obtained from: pfSense
Sponsored by: Rubicon Communications, LLC (Netgate)
(cherry picked from commit 41e01117ba34cca63862da2cd14fc8bade649d1c)
|
|
|
|
|
|
|
|
|
|
|
|
| |
for dummynet, use the correct argument for that, remove the false coment
about the presence of struct ifnet.
Fixes the input match of dummynet l2 rules.
Obtained from: pfSense
Sponsored by: Rubicon Communications, LLC (Netgate)
(cherry picked from commit 3a397c8fa4ebd59794e6e0d775ee15b42b7b30ee)
|
|
|
|
|
|
|
|
|
| |
Move opcode rewriter init and destroy handlers into non-VNET code.
PR: 212576,212649,212077
Submitted by: John Zielinski
(cherry picked from commit ea6ed08789ae8292a4851ab4d8c3aa9727aa42ba)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix swap tables between sets when this functional is enabled.
We have 6 opcode rewriters for table opcodes. When `set swap' command
invoked, it is called for each rewriter, so at the end we get the same
result, because opcode rewriter uses ETLV type to match opcode. And all
tables opcodes have the same ETLV type. To solve this problem, use
separate sets handler for one opcode rewriter. Use it to handle TEST_ALL,
SWAP_ALL and MOVE_ALL commands.
PR: 212630
(cherry picked from commit bca7482346238dcfe2a6ddc1c01263d62e40354b)
|
|
|
|
|
|
|
| |
installation is complete, similar to the old PFI behavior. Implements #7689
(cherry picked from commit ec316ce32d9b91fd07abc6392323f43d5365c6bd)
(cherry picked from commit e471bc56255d0ba97d8ec1a9add892d069ebff42)
|
|\ |
|
| |
| |
| |
| | |
Approved by: so
|
| | |
|
| | |
|