summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_dummynet.c
Commit message (Collapse)AuthorAgeFilesLines
* Add some missing DUMMYNET_UNLOCK() in config_pipe().mlaier2004-03-031-2/+7
| | | | | Noticed by: Simon Coggins Approved by: bms(mentor)
* Re-remove MT_TAGs. The problems with dummynet have been fixed now.mlaier2004-02-251-91/+128
| | | | | Tested by: -current, bms(mentor), me Approved by: bms(mentor), sam
* Backout MT_TAG removal (i.e. bring back MT_TAGs) for now, as dummynet ismlaier2004-02-181-125/+91
| | | | | | not working properly with the patch in place. Approved by: bms(mentor)
* This set of changes eliminates the use of MT_TAG "pseudo mbufs", replacingmlaier2004-02-131-91/+125
| | | | | | | | | | | them mostly with packet tags (one case is handled by using an mbuf flag since the linkage between "caller" and "callee" is direct and there's no need to incur the overhead of a packet tag). This is (mostly) work from: sam Silence from: -arch Approved by: bms(mentor), sam, rwatson
* o Fix a comment: softticks lives in sys/kern/kern_timeout.c.maxim2003-12-271-1/+1
| | | | | | PR: kern/60613 Submitted by: Gleb Smirnoff MFC after: 3 days
* Do not panic when flushing dummynet firewall rulesemax2003-12-061-1/+1
| | | | | Reviewed by: andre Approved by: re (scottl)
* Use MPSAFE callouts only when debug.mpsafenet is 1. Both timer routinessam2003-11-231-1/+1
| | | | | | | | potentially transmit packets that may enter KAME IPsec w/o Giant if the callouts are marked MPSAFE. Reviewed by: ume Approved by: re (rwatson)
* replace explicit changes to rt_refcnt by RT_ADDREF and RT_REMREFsam2003-11-081-3/+1
| | | | | | | macros that expand to include assertions when the system is built with INVARIANTS Supported by: FreeBSD Foundation
* Replace the if_name and if_unit members of struct ifnet with new membersbrooks2003-10-311-6/+5
| | | | | | | | | | | | | if_xname, if_dname, and if_dunit. if_xname is the name of the interface and if_dname/unit are the driver name and instance. This change paves the way for interface renaming and enhanced pseudo device creation and configuration symantics. Approved By: re (in principle) Reviewed By: njl, imp Tested On: i386, amd64, sparc64 Obtained From: NetBSD (if_xname)
* o add locking to protect routing table refcnt manipulationssam2003-10-291-16/+18
| | | | | | | | | | o add some more debugging help for figuring out why folks are getting complaints about releasing routing table entries with a zero refcnt o fix comment that talked about spl's o remove duplicate define of DUMMYNET_DEBUG Supported by: FreeBSD Foundation
* Drop dummynet lock when calling back into the network stack to deliversam2003-10-161-0/+5
| | | | | | | packets. This eliminates a LOR with Giant that caused outbound pipes to fail. Supported by: FreeBSD Foundation
* Minor fixups + add locking.sam2003-09-171-65/+120
| | | | | | | | | o change time to MPSAFE callout o make debug printfs conditional on DUMMYNET_DEBUG and runtime controllable by net.inet.ip.dummynet.debug o make boot-time printf dependent on bootverbose Sponsored by: FreeBSD Foundation
* o Fix a typo in previous commit.maxim2003-07-311-1/+1
|
* o Do not overwrite saved interrupt priority level by alloc_hash(),maxim2003-07-251-6/+8
| | | | | | | | use a separate variable. o Restore interrupt priority level before return (no-op in HEAD). Spotted by: Don Bowman <don@sandvine.com> MFC after: 5 days
* Remove a stale comment, fix indentation.luigi2003-06-281-8/+5
|
* Fix typo in a (commented out) debugging string.luigi2003-06-231-1/+1
| | | | Spotted by: diff
* Change handling to support strong alignment architectures such as alpha andticso2003-06-041-0/+8
| | | | | | | | sparc64. PR: alpha/50658 Submitted by: rizzo Tested on: alpha
* Fix indentation.maxim2003-03-271-2/+2
|
* o Protect set_fs_param() by splimp(9).maxim2003-03-271-7/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Quote from kern/37573: There is an obvious race in netinet/ip_dummynet.c:config_pipe(). Interrupts are not blocked when changing the params of an existing pipe. The specific crash observed: ... -> config_pipe -> set_fs_parms -> config_red malloc a new w_q_lookup table but take an interrupt before intializing it, interrupt handler does: ... -> dummynet_io -> red_drops red_drops dereferences the uninitialized (zeroed) w_q_lookup table. o Flush accumulated credits for idle pipes. o Flush accumulated credits when change pipe characteristics. o Change dn_flow_queue.numbytes type to unsigned long. Overlapping dn_flow_queue->numbytes in ready_event() leads to numbytes becomes negative and SET_TICKS() macro returns a very big value. heap_insert() overlaps dn_key again and inserts a queue to a ready heap with a sched_time points to the past. That leads to an "infinity" loop. PR: kern/33234, kern/37573, misc/42459, kern/43133, kern/44045, kern/48099 Submitted by: Mike Hibler <mike@cs.utah.edu> (kern/37573) MFC after: 6 weeks
* De-anonymity a couple of messages I missed in a previous sweep.maxim2003-01-201-2/+2
| | | | | | Move one of them under DEB macro. Noticed by: Wiktor Niesiobedzki <w@evip.pl>
* Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,schweikh2003-01-011-1/+1
| | | | especially in troff files.
* o De-anonymity dummynet(4) and ipfw(4) messages, prepend themmaxim2002-12-241-30/+31
| | | | | | by 'dummynet: ' and 'ipfw: ' prefixes. PR: kern/41609
* o Trim EOL whitespaces.maxim2002-12-151-22/+22
| | | | MFC after: 1 week
* o M_DONTWAIT is mbuf(9) flag: malloc(M_DONTWAIT) -> malloc(M_NOWAIT).maxim2002-12-151-7/+7
| | | | | | | The bug does not affect anything because M_NOWAIT == M_DONTWAIT. Reviewed by: luigi MFC after: 1 week
* track changes to not strip the Ethernet header from input packetssam2002-11-141-8/+5
| | | | | Reviewed by: many Approved by: re
* Due to a memory alignment sizeof(struct ipfw_flow_id) is bigger thanmaxim2002-11-131-1/+6
| | | | | | | | | | ipfw_flow_id structure actual size and bcmp(3) may fail to compare them properly. Compare members of these structures instead. PR: kern/44078 Submitted by: Oleg Bulyzhin <oleg@rinet.ru> Reviewed by: luigi MFC after: 2 weeks
* Replace aux mbufs with packet tags:sam2002-10-161-1/+1
| | | | | | | | | | | | | | | | | | | o instead of a list of mbufs use a list of m_tag structures a la openbsd o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit ABI/module number cookie o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and use this in defining openbsd-compatible m_tag_find and m_tag_get routines o rewrite KAME use of aux mbufs in terms of packet tags o eliminate the most heavily used aux mbufs by adding an additional struct inpcb parameter to ip_output and ip6_output to allow the IPsec code to locate the security policy to apply to outbound packets o bump __FreeBSD_version so code can be conditionalized o fixup ipfilter's call to ip_output based on __FreeBSD_version Reviewed by: julian, luigi (silent), -arch, -net, darren Approved by: julian, silence from everyone else Obtained from: openbsd (mostly) MFC after: 1 month
* Increase the max dummynet hash size from 1024 to 65536. Default is stillseanc2002-10-121-2/+2
| | | | | | | | | 1024. Silence on: -net, -ipfw 4weeks+ Reviewed by: dd Approved by: knu (mentor) MFC after: 3 weeks
* Kernel support for a dummynet option:luigi2002-08-151-1/+1
| | | | | | | | | | | | | | | | When a pipe or queue has the "noerror" attribute, do not report drops to the caller (ip_output() and friends). (2 lines to implement it, 2 lines to document it.) This will let you simulate losses on the sender side as if they happened in the middle of the network, i.e. with no explicit feedback to the sender. manpage and ipfw2.c changes to follow shortly, together with other ipfw2 changes. Requested by: silby MFC after: 3 days
* Fix a panic when doing "ipfw add pipe 1 log ..."luigi2002-07-171-5/+30
| | | | | Also synchronize ip_dummynet.c with the version in RELENG_4 to ease MFC's.
* Change one variable to make it easier to switch between ipfw and ipfw2luigi2002-07-091-5/+3
|
* Forgot to update one field name in one of the latest commits.luigi2002-07-081-2/+2
|
* The new ipfw code.luigi2002-06-271-30/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
* Remove (almost all) global variables that were used to holdluigi2002-06-221-45/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
* Add ipfw hooks to ether_demux() and ether_output_frame().luigi2002-05-131-5/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ipfw processing of frames at layer 2 can be enabled by the sysctl variable net.link.ether.ipfw=1 Consider this feature experimental, because right now, the firewall is invoked in the places indicated below, and controlled by the sysctl variables listed on the right. As a consequence, a packet can be filtered from 1 to 4 times depending on the path it follows, which might make a ruleset a bit hard to follow. I will add an ipfw option to tell if we want a given rule to apply to ether_demux() and ether_output_frame(), but we have run out of flags in the struct ip_fw so i need to think a bit on how to implement this. to upper layers | | +----------->-----------+ ^ V [ip_input] [ip_output] net.inet.ip.fw.enable=1 | | ^ V [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 | | +->- [bdg_forward]-->---+ net.link.ether.bridge_ipfw=1 ^ V | | to devices
* Simple p_ucred -> td_ucred changes to start using the per-thread ucredjhb2002-02-271-1/+1
| | | | reference.
* MFS: sync the ipfw/dummynet/bridge code with the one recently mergedluigi2001-11-041-24/+38
| | | | into stable (mostly , but not only, formatting and comments changes).
* Make it so dummynet and bridge can be loaded as modules.ps2001-10-051-61/+74
| | | | Submitted by: billf
* Two main changes here:luigi2001-09-271-20/+20
| | | | | | | | | | | | | | | + implement "limit" rules, which permit to limit the number of sessions between certain host pairs (according to masks). These are a special type of stateful rules, which might be of interest in some cases. See the ipfw manpage for details. + merge the list pointers and ipfw rule descriptors in the kernel, so the code is smaller, faster and more readable. This patch basically consists in replacing "foo->rule->bar" with "rule->bar" all over the place. I have been willing to do this for ages! MFC after: 1 week
* Include sys/proc.h for the definition of securelevel_ge().brooks2001-09-261-0/+1
| | | | Submitted by: LINT
* o Modify IPFW and DUMMYNET administrative setsockopt() calls to userwatson2001-09-261-2/+5
| | | | | | | securelevel_gt() to check the securelevel, rather than direct access to the securelevel variable. Obtained from: TrustedBSD Project
* Sync with the bridge/dummynet/ipfw code already tested in stable.luigi2001-02-101-5/+5
| | | | | In ip_fw.[ch] change a couple of variable and field names to avoid having types, variables and fields with the same name.
* Mechanical change to use <sys/queue.h> macro API instead ofphk2001-02-041-3/+3
| | | | | | | fondling implementation details. Created with: sed(1) Reviewed by: md5(1)
* MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately)luigi2001-02-021-42/+44
|
* Minor cleanups after yesterday's patch.luigi2001-01-261-4/+2
| | | | The code (bridging and dummynet) actually worked fine!
* Bring dummynet in line with the code that now works in -STABLE.luigi2001-01-261-88/+125
| | | | It compiles, but I cannot test functionality yet.
* Change critical section protection for dummynet from splnet() toluigi2001-01-221-15/+45
| | | | | | | | | splimp() -- we need it because dummynet can be invoked by the bridging code at splimp(). This should cure the pipe "stalls" that several people have been reporting on -stable while using bridging+dummynet (the problem would not affect routers using dummynet).
* Some dummynet patches that I forgot to commit last summer.luigi2001-01-161-34/+71
| | | | | | One of them fixes a potential panic when bridging is used and you run out of mbufs (though i have no idea if the bug has ever hit anyone).
* Convert more malloc+bzero to malloc+M_ZERO.dwmalone2000-12-081-10/+6
| | | | | Submitted by: josh@zipperup.org Submitted by: Robert Drehmel <robd@gmx.net>
* Fixup (hopefully) bridging + ipfw + dummynet together...bmilekic2000-11-231-5/+5
| | | | | | | | | | | | | | | | | | * Some dummynet code incorrectly handled a malloc()-allocated pseudo-mbuf header structure, called "pkt," and could consequently pollute the mbuf free list if it was ever passed to m_freem(). The fix involved passing not pkt, but essentially pkt->m_next (which is a real mbuf) to the mbuf utility routines. * Also, for dummynet, in bdg_forward(), made the code copy the ethernet header back into the mbuf (prepended) because the dummynet code that follows expects it to be there but it is, unfortunately for dummynet, passed to bdg_forward as a seperate argument. PRs: kern/19551 ; misc/21534 ; kern/23010 Submitted by: Thomas Moestl <tmoestl@gmx.net> Reviewed by: bmilekic Approved by: luigi
OpenPOWER on IntegriCloud