summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_dummynet.c
Commit message (Collapse)AuthorAgeFilesLines
* De-anonymity a couple of messages I missed in a previous sweep.maxim2003-01-201-2/+2
| | | | | | Move one of them under DEB macro. Noticed by: Wiktor Niesiobedzki <w@evip.pl>
* Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,schweikh2003-01-011-1/+1
| | | | especially in troff files.
* o De-anonymity dummynet(4) and ipfw(4) messages, prepend themmaxim2002-12-241-30/+31
| | | | | | by 'dummynet: ' and 'ipfw: ' prefixes. PR: kern/41609
* o Trim EOL whitespaces.maxim2002-12-151-22/+22
| | | | MFC after: 1 week
* o M_DONTWAIT is mbuf(9) flag: malloc(M_DONTWAIT) -> malloc(M_NOWAIT).maxim2002-12-151-7/+7
| | | | | | | The bug does not affect anything because M_NOWAIT == M_DONTWAIT. Reviewed by: luigi MFC after: 1 week
* track changes to not strip the Ethernet header from input packetssam2002-11-141-8/+5
| | | | | Reviewed by: many Approved by: re
* Due to a memory alignment sizeof(struct ipfw_flow_id) is bigger thanmaxim2002-11-131-1/+6
| | | | | | | | | | ipfw_flow_id structure actual size and bcmp(3) may fail to compare them properly. Compare members of these structures instead. PR: kern/44078 Submitted by: Oleg Bulyzhin <oleg@rinet.ru> Reviewed by: luigi MFC after: 2 weeks
* Replace aux mbufs with packet tags:sam2002-10-161-1/+1
| | | | | | | | | | | | | | | | | | | o instead of a list of mbufs use a list of m_tag structures a la openbsd o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit ABI/module number cookie o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and use this in defining openbsd-compatible m_tag_find and m_tag_get routines o rewrite KAME use of aux mbufs in terms of packet tags o eliminate the most heavily used aux mbufs by adding an additional struct inpcb parameter to ip_output and ip6_output to allow the IPsec code to locate the security policy to apply to outbound packets o bump __FreeBSD_version so code can be conditionalized o fixup ipfilter's call to ip_output based on __FreeBSD_version Reviewed by: julian, luigi (silent), -arch, -net, darren Approved by: julian, silence from everyone else Obtained from: openbsd (mostly) MFC after: 1 month
* Increase the max dummynet hash size from 1024 to 65536. Default is stillseanc2002-10-121-2/+2
| | | | | | | | | 1024. Silence on: -net, -ipfw 4weeks+ Reviewed by: dd Approved by: knu (mentor) MFC after: 3 weeks
* Kernel support for a dummynet option:luigi2002-08-151-1/+1
| | | | | | | | | | | | | | | | When a pipe or queue has the "noerror" attribute, do not report drops to the caller (ip_output() and friends). (2 lines to implement it, 2 lines to document it.) This will let you simulate losses on the sender side as if they happened in the middle of the network, i.e. with no explicit feedback to the sender. manpage and ipfw2.c changes to follow shortly, together with other ipfw2 changes. Requested by: silby MFC after: 3 days
* Fix a panic when doing "ipfw add pipe 1 log ..."luigi2002-07-171-5/+30
| | | | | Also synchronize ip_dummynet.c with the version in RELENG_4 to ease MFC's.
* Change one variable to make it easier to switch between ipfw and ipfw2luigi2002-07-091-5/+3
|
* Forgot to update one field name in one of the latest commits.luigi2002-07-081-2/+2
|
* The new ipfw code.luigi2002-06-271-30/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
* Remove (almost all) global variables that were used to holdluigi2002-06-221-45/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
* Add ipfw hooks to ether_demux() and ether_output_frame().luigi2002-05-131-5/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ipfw processing of frames at layer 2 can be enabled by the sysctl variable net.link.ether.ipfw=1 Consider this feature experimental, because right now, the firewall is invoked in the places indicated below, and controlled by the sysctl variables listed on the right. As a consequence, a packet can be filtered from 1 to 4 times depending on the path it follows, which might make a ruleset a bit hard to follow. I will add an ipfw option to tell if we want a given rule to apply to ether_demux() and ether_output_frame(), but we have run out of flags in the struct ip_fw so i need to think a bit on how to implement this. to upper layers | | +----------->-----------+ ^ V [ip_input] [ip_output] net.inet.ip.fw.enable=1 | | ^ V [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 | | +->- [bdg_forward]-->---+ net.link.ether.bridge_ipfw=1 ^ V | | to devices
* Simple p_ucred -> td_ucred changes to start using the per-thread ucredjhb2002-02-271-1/+1
| | | | reference.
* MFS: sync the ipfw/dummynet/bridge code with the one recently mergedluigi2001-11-041-24/+38
| | | | into stable (mostly , but not only, formatting and comments changes).
* Make it so dummynet and bridge can be loaded as modules.ps2001-10-051-61/+74
| | | | Submitted by: billf
* Two main changes here:luigi2001-09-271-20/+20
| | | | | | | | | | | | | | | + implement "limit" rules, which permit to limit the number of sessions between certain host pairs (according to masks). These are a special type of stateful rules, which might be of interest in some cases. See the ipfw manpage for details. + merge the list pointers and ipfw rule descriptors in the kernel, so the code is smaller, faster and more readable. This patch basically consists in replacing "foo->rule->bar" with "rule->bar" all over the place. I have been willing to do this for ages! MFC after: 1 week
* Include sys/proc.h for the definition of securelevel_ge().brooks2001-09-261-0/+1
| | | | Submitted by: LINT
* o Modify IPFW and DUMMYNET administrative setsockopt() calls to userwatson2001-09-261-2/+5
| | | | | | | securelevel_gt() to check the securelevel, rather than direct access to the securelevel variable. Obtained from: TrustedBSD Project
* Sync with the bridge/dummynet/ipfw code already tested in stable.luigi2001-02-101-5/+5
| | | | | In ip_fw.[ch] change a couple of variable and field names to avoid having types, variables and fields with the same name.
* Mechanical change to use <sys/queue.h> macro API instead ofphk2001-02-041-3/+3
| | | | | | | fondling implementation details. Created with: sed(1) Reviewed by: md5(1)
* MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately)luigi2001-02-021-42/+44
|
* Minor cleanups after yesterday's patch.luigi2001-01-261-4/+2
| | | | The code (bridging and dummynet) actually worked fine!
* Bring dummynet in line with the code that now works in -STABLE.luigi2001-01-261-88/+125
| | | | It compiles, but I cannot test functionality yet.
* Change critical section protection for dummynet from splnet() toluigi2001-01-221-15/+45
| | | | | | | | | splimp() -- we need it because dummynet can be invoked by the bridging code at splimp(). This should cure the pipe "stalls" that several people have been reporting on -stable while using bridging+dummynet (the problem would not affect routers using dummynet).
* Some dummynet patches that I forgot to commit last summer.luigi2001-01-161-34/+71
| | | | | | One of them fixes a potential panic when bridging is used and you run out of mbufs (though i have no idea if the bug has ever hit anyone).
* Convert more malloc+bzero to malloc+M_ZERO.dwmalone2000-12-081-10/+6
| | | | | Submitted by: josh@zipperup.org Submitted by: Robert Drehmel <robd@gmx.net>
* Fixup (hopefully) bridging + ipfw + dummynet together...bmilekic2000-11-231-5/+5
| | | | | | | | | | | | | | | | | | * Some dummynet code incorrectly handled a malloc()-allocated pseudo-mbuf header structure, called "pkt," and could consequently pollute the mbuf free list if it was ever passed to m_freem(). The fix involved passing not pkt, but essentially pkt->m_next (which is a real mbuf) to the mbuf utility routines. * Also, for dummynet, in bdg_forward(), made the code copy the ethernet header back into the mbuf (prepended) because the dummynet code that follows expects it to be there but it is, unfortunately for dummynet, passed to bdg_forward as a seperate argument. PRs: kern/19551 ; misc/21534 ; kern/23010 Submitted by: Thomas Moestl <tmoestl@gmx.net> Reviewed by: bmilekic Approved by: luigi
* close PR 19544 - ipfw pipe delete causes panic when no pipes definedluigi2000-07-171-2/+2
| | | | PR: 19544
* Fix behaviour of "ipfw pipe show" -- previous code gaveluigi2000-06-141-5/+10
| | | | | ambiguous data to the userland program (kernel operation was safe, anyways).
* Implement WF2Q+ in dummynet.luigi2000-06-081-316/+1135
|
* Back out the previous change to the queue(3) interface.jake2000-05-261-1/+1
| | | | | | It was not discussed and should probably not happen. Requested by: msmith and others
* Change the way that the queue(3) structures are declared; don't assume thatjake2000-05-231-1/+1
| | | | | | | | the type argument to *_HEAD and *_ENTRY is a struct. Suggested by: phk Reviewed by: phk Approved by: mdodd
* Move code to handle BPF and bridging for incoming Ethernet packets outarchie2000-05-141-1/+10
| | | | | | | | | | | | | | | of the individual drivers and into the common routine ether_input(). Also, remove the (incomplete) hack for matching ethernet headers in the ip_fw code. The good news: net result of 1016 lines removed, and this should make bridging now work with *all* Ethernet drivers. The bad news: it's nearly impossible to test every driver, especially for bridging, and I was unable to get much testing help on the mailing lists. Reviewed by: freebsd-net
* Forgot one line: don't try to match flags when looking for a flow.luigi2000-02-111-0/+1
| | | | Approved-by: jordan
* Support for stateful (dynamic) ipfw rules. They are veryluigi2000-02-101-28/+38
| | | | | | | | similar to ipfilter's keep-state. Look at the updated ipfw(8) manpage for details. Approved-by: jordan
* Fix a (mostly harmless) scheduling-in-the-past problem withluigi2000-02-041-6/+6
| | | | | | | | dummynet (already fixed in -stable, was waiting for Jordan's approval due to the code freeze). Reported-By: Mike Tancsa Approved-By: Jordan
* Implement per-flow queueing. Using a single pipe config rule,luigi2000-01-081-360/+670
| | | | | | | | | | | | | | | | | | now you can dynamically create rate-limited queues for different flows using masks on dst/src IP, port and protocols. Read the ipfw(8) manpage for details and examples. Restructure the internals of the traffic shaper to use heaps, so that it manages efficiently large number of queues. Fix a bug which was present in the previous versions which could cause, under certain unfrequent conditions, to send out very large bursts of traffic. All in all, this new code is much cleaner than the previous one and should also perform better. Work supported by Akamba Corp.
* IPSEC support in the kernel.shin1999-12-221-2/+8
| | | | | | | | pr_input() routines prototype is also changed to support IPSEC and IPV6 chained protocol headers. Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
* RTFREE the correct route entry in dummynet_io(). The previousluigi1999-11-261-3/+3
| | | | | | code failed in handling things like "forward" actions. Reported-and-tested-by: Jean-Hugues ROYER jhroyer@joher.com
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Fix a printf() formatter to match its variable.billf1999-08-171-2/+2
| | | | Reviewed by: bde, luigi
* Add spl() protection to remove that the timer is invoked multipleluigi1999-08-111-3/+5
| | | | | times resulting in higher bandwidth and lower delays. Reported-by: Jamshid Madhavi
* Fix two warnings; and note a problem where a pointer is stored in anpeter1999-05-061-4/+4
| | | | int variable - this can't work on an Alpha.
* Free the dummynet descriptor in ip_dummynet, not in the calledluigi1999-05-041-4/+5
| | | | | | | routines. The descriptor contains parameters which could be used within those routines (eg. ip_output() ). On passing, add IPPROTO_PGM entry to netinet/in.h
* assorted dummynet cleanup:luigi1999-05-041-24/+34
| | | | | | | + plug an mbuf leak when dummynet used with bridging + make prototype of dummynet_io consistent with usage + code cleanup so that now bandwidth regulation is precise to the bit/s and not to (8*HZ) bit/s as before.
* Tidy up some stray / unused stuff in the IPFW package and friends.peter1999-04-201-10/+5
| | | | | | | | - unifdef -DCOMPAT_IPFW (this was on by default already) - remove traces of in-kernel ip_nat package, it was never committed. - Make IPFW and DUMMYNET initialize themselves rather than depend on compiled-in hooks in ip_init(). This means they initialize the same way both in-kernel and as kld modules. (IPFW initializes now :-)
OpenPOWER on IntegriCloud