| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Fix multiple vulnerabilities of ntp. [SA-15:07]
Fix bsdinstall(8) insecure default GELI keyfile permissions. [SA-15:08]
Fix Denial of Service with IPv6 Router Advertisements. [SA-15:09]
|
|
|
|
|
| |
To avoid a possible race, release the reference to ifa after return
from nd6_dad_na_input().
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix deadlock in IPv6 PCB code.
When several threads are trying to send datagram to the same destination,
but fragmentation is disabled and datagram size exceeds link MTU,
ip6_output() calls pfctlinput2(PRC_MSGSIZE). It does notify all
sockets wanted to know MTU to this destination. And since all threads
hold PCB lock while sending, taking the lock for each PCB in the
in6_pcbnotify() leads to deadlock.
RFC 3542 p.11.3 suggests notify all application wanted to receive
IPV6_PATHMTU ancillary data for each ICMPv6 packet too big message.
But it doesn't require this, when we don't receive ICMPv6 message.
Change ip6_notify_pmtu() function to be able use it directly from
ip6_output() to notify only one socket, and to notify all sockets
when ICMPv6 packet too big message received.
MFC r279684:
tcp6_ctlinput() doesn't pass MTU value to in6_pcbnotify().
Check cmdarg isn't NULL before dereference, this check was in the
ip6_notify_pmtu() before r279588.
PR: 197059
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a bug in the way that the LLE timers for nd6
and arp were being used. They basically would pass in the
mutex to the callout_init. Because they used this method
to the callout system, it was possible to "stop" the callout.
When flushing the table and you stopped the running callout, the
callout_stop code would return 1 indicating that it was going
to stop the callout (that was about to run on the callout_wheel blocked
by the function calling the stop). Now when 1 was returned, it would
lower the reference count one extra time for the stopped timer, then
a few lines later delete the memory. Of course the callout_wheel was
stuck in the lock code and would then crash since it was accessing
freed memory. By using callout_init(c, 1) we always get a 0 back
and the reference counting bug does not rear its head. We do have
to make a few adjustments to the callouts themselves though to make
sure it does the proper thing if rescheduled as well as gets the lock.
Sponsored by: Netflix Inc.
|
|
|
|
| |
Print IPv6 address in log message instead of address of pointer.
|
|
|
|
|
|
|
|
| |
Add context pointer and source address to the UDP tunnel callback
These are needed for the forthcoming vxlan implementation. The context
pointer means we do not have to use a spare pointer field in the inpcb,
and the source address is required to populate vxlan's forwarding table.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Overhaul if_gif(4):
o convert to if_transmit;
o use rmlock to protect access to gif_softc;
o use sx lock to protect from concurrent ioctls;
o remove a lot of unneeded and duplicated code;
o remove cached route support (it won't work with concurrent io);
o style fixes.
MFC r273090:
Move memset under ifdef INET6.
MFC r273091:
Add more ifdefs. SIOC*_IN6 are defined only with INET6.
MFC r273121:
Add inet/inet6 to the dependency list. Without them if_gif is useless.
MFC r273209 by bz:
After r273087,r273090,r273091,r273121 changes to gif(4) try to fix
NOIP builds for real.
MFC r273587:
Remove redundant check and m_pullup() call.
|
|
|
|
|
|
| |
Remove unneded check. No need to do m_pullup to the size that we prepended.
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix ips_out_nosa errors accounting.
MFC r274454:
ipsec6_process_packet is called before ip6_output fixes ip6_plen.
Update ip6_plen before bpf processing to be able see correct value.
MFC r274455:
We don't return sp pointer, thus NULL assignment isn't needed.
And reference to sp will be freed at the end.
MFC r274465:
Remove redundant ip6_plen initialization.
MFC r274466:
Strip IP header only when we act in tunnel mode.
MFC r274467:
Count statistics for the specific address family.
Sponsored by: Yandex LLC
|
|
|
|
| |
Add missing UDP multicast receive dtrace probes
|
|
|
|
|
|
| |
Move the calls to u_tun_func() into udp6_append()
A similar cleanup for UDPv4 was performed in r220620.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix mbuf leak in IPv6 multicast code.
When multicast capable interface goes away, it leaves multicast groups,
this leads to generate MLD reports, but MLD code does deffered send and
MLD reports are queued in the in6_multi's in6m_scq ifq. The problem is
that in6_multi structures are freed when interface leaves multicast groups
and thread that does deffered send will not take these queued packets.
PR: 194577
MFC r273857:
Move ifq drain into in6m_purge().
Suggested by: bms
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPv4-in-IPv6 and IPv6-in-IPv4 IPsec tunnels.
For IPv6-in-IPv4, you may need to do the following command
on the tunnel interface if it is configured as IPv4 only:
ifconfig <interface> inet6 -ifdisabled
Code logic inspired from NetBSD.
PR: kern/169438
MC r266822 by bz:
Use IPv4 statistics in ipsec4_process_packet() rather than the IPv6
version. This also unbreaks the NOINET6 builds after r266800.
MFC r268083 by zec:
The assumption in ipsec4_process_packet() that the payload may be
only IPv4 is wrong, so check the IP version before mangling the
payload header.
MFC r272394:
Do not strip outer header when operating in transport mode.
Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP
encapsulation, it will be handled with tunneling interface. And thus proper
interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling
interface will see packets in both directions.
PR: 194761
|
|
|
|
|
|
|
|
| |
Fix EtherIP. TOS field must be initialized when the inner protocol is
PF_LINK, and multicast/broadcast flag should always be dropped because
the outer protocol uses unicast even when the inner address is not for
unicast. It had been broken since r236951 when gif_output() started to
use IFQ_HANDOFF().
|
|
|
|
|
|
|
|
| |
Cancel DAD for an ifa when the ifp has ND6_IFF_IFDISABLED as early as
possible and do not clear IN6_IFF_TENTATIVE. If IFDISABLED was accidentally
set after a DAD started, TENTATIVE could be cleared because no NA was
received due to IFDISABLED, and as a result it could prevent DAD when
manually clearing IFDISABLED after that.
|
|
|
|
|
| |
- Add rwlock to struct dadq. A panic could occur when a large number of
addresses performed DAD at the same time.
|
|
|
|
|
|
|
|
| |
Add the ability to set `prefer_source' flag to an IPv6 address.
It affects the IPv6 source address selection algorithm (RFC 6724)
and allows override the last rule ("longest matching prefix") for
choosing among equivalent addresses. The address with `prefer_source'
will be preferred source address.
|
|
|
|
|
| |
Fix a bug introduced in
https://svnweb.freebsd.org/base?view=revision&revision=272347
|
|
|
|
| |
UDP/IPv6 and UDPLite/IPv6 require a checksum. So check for it.
|
|
|
|
|
| |
Check for UDP/IPv6 packets that the length in the UDP header is at least
the minimum. Make the check similar to the one for UDPLite/IPv6.
|
|
|
|
|
|
|
|
|
| |
Fix the checksum computation for UDPLite/IPv6. This requires the
usage of a function computing the checksum only over a part of the function.
Therefore introduce in6_cksum_partial() and implement in6_cksum() based
on that.
While there, ensure that the UDPLite packet contains at least enough bytes
to contain the header.
|
|
|
|
|
|
|
|
| |
The default for UDPLITE_RECV_CSCOV is zero. RFC 3828 recommend
that this means full checksum coverage for received packets.
If an application is willing to accept packets with partial
coverage, it is expected to use the socket option and provide
the minimum coverage it accepts.
|
|
|
|
|
|
| |
If the checksum coverage field in the UDPLITE header is the length
of the complete UDPLITE packet, the packet has full checksum coverage.
So fix the condition.
|
|
|
|
|
|
|
| |
When plen != ulen, it should only be checked when this is UDP.
The commit is from kevlo and he agreed that I MFC it as part of the
UDPLite fixes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Announce SCTP support in the kern.features sysctl variables.
MFC r270859:
Enable SCTP support. It runs perfectly fine on a Wandboard quad.
MFC r271204 with manual intervention:
Fix the handling of sysctl variables when used with VIMAGE.
While there do some cleanup of the code.
MFC r271209:
Fix a leak of an address, if the address is scheduled for removal
and the stack is torn down.
Thanks to Peter Bostroem and Jiayang Liu from Google for reporting the
issue.
MFC r271219:
Use SYSCTL_PROC instead of SYSCTL_VNET_PROC.
Suggested by: glebius@
MFC r271221:
Use union sctp_sockstore instead of struct sockaddr_storage. This
eliminates some warnings when building in userland.
Thanks to Patrick Laimbock for reporting this issue.
Remove also some unnecessary casts.
There should be no functional change.
MFC r271228:
Address another warnings reported by Patrick Laimbock when compiling
in userspace. While there, improve consistency.
MFC r271230:
Address warnings generated by the clang analyzer.
Approved by: re (kib)
|
|
|
|
|
|
|
| |
Add the reverse part to rule #9. Also change its description in the
netstat(8) output.
Approved by: re (gjb)
|
|
|
|
|
|
|
|
|
|
|
| |
Remove KASSERT from in6p_lookup_mcast_ifp().
When the devel/jenkins port, version 1.551 was started,
the kernel would panic if INVARIANTS was enabled in the kernel config.
Suggested by: bms
Approved by: re (gjb)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add some missing checks for unsupported interfaces (e.g. pflog(4)) when
handling ioctls. While here, remove duplicated checks for a NULL ifp in
in6_control(): this check is already done near the beginning of the
function.
MFC r270349:
Suppress warnings when retrieving protocol stats from interfaces that
don't support IPv6 (e.g. pflog(4)).
PR: 189117
Approved by: re (gjb)
|
|
|
|
|
|
|
|
| |
Fix panic with RADIX_MPATH, when RTFREE_LOCKED() called for already
unlocked route. Use in6_rtalloc() instead of in6_rtalloc1. This helps
simplify the code and remove several now unused variables.
PR: 156283
|
|
|
|
|
|
| |
Correct warnings comparing unsigned variables < 0 constantly reported
while building kernels. All instances removed are indeed unsigned so
the expressions could not be true.
|
|
|
|
|
|
|
| |
Add new rule to source address selection algorithm. It prefers address
with better virtual status. Use ifa_preferred() to choose better address.
PR: 187341
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add support for UDP-Lite protocol (RFC 3828) to IPv4 and IPv6 stacks.
Tested with vlc and a test suite [1].
[1] http://www.erg.abdn.ac.uk/~gerrit/udp-lite/files/udplite_linux.tar.gz
Reviewed by: jhb, glebius, adrian
- Fix a logic bug which prevented the sending of UDP packet with 0 checksum.
- Disable TX checksum offload for UDP-Lite completely. It wasn't used for
partial checksum coverage, but even for full checksum coverage it doesn't
work.
|
|
|
|
|
|
| |
Remove unused variable.
PR: 173521
|
|
|
|
|
|
| |
Properly release the in6_multi lock.
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
| |
Don't generate an ICMPv6 error message if packet was consumed by filter.
Remove unused label.
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
|
|
|
| |
- Remove rt_metrics_lite and simply put its members into rtentry.
- Use counter(9) for rt_pksent (former rt_rmx.rmx_pksent). This
removes another cache trashing ++ from packet forwarding path.
- Create zini/fini methods for the rtentry UMA zone. Via initialize
mutex and counter in them.
- Fix reporting of rmx_pksent to routing socket.
- Fix netstat(1) to report "Use" both in kvm(3) and sysctl(3) mode.
|
|
|
|
|
|
|
| |
of IPSEC and packet filters.
PR: kern/185876
PR: kern/186755
|
|
|
|
|
|
|
|
| |
Only count table lookups when we're actually processing packets.
PR: 183462
Submitted by: Sven-Thorsten Dietrich <thebigcorporation at gmail.com>
Reviewed by: bms
|
|
|
|
|
|
|
|
|
|
| |
r261825, r261859, r261875, r261883, r261911, r262027, r262028, r262029,
r262030, r262162 from head.
Large flowtable revamp. See commit messages for merged revisions for
details.
Sponsored by: Netflix
|
|
|
|
|
|
|
| |
Drop packets to multicast address whose scop field contains the
reserved value 0.
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
|
|
|
| |
Take exclusive lock only when lle isn't NULL. We don't need write access
to lle in most cases.
MFC r261583:
Unlock entry before retry.
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
| |
Remove extra nesting from X_ip6_mforward() function.
Also remove disabled definitions from ip6_mroute.h.
PR: 185148
|
|
|
|
|
| |
Add MRT6_DLOG() macro for debugging.
Reduce number of MRT6DEBUG ifdefs and fix some broken format strings.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use an RLOCK here instead of an RWLOCK - matching all the other calls
to lla_lookup().
This drastically reduces the very high lock contention when doing parallel
TCP throughput tests (> 1024 sockets) with IPv6.
MFC r260187:
lla_lookup() does modification only when LLE_CREATE is specified.
Thus we can use IF_AFDATA_RLOCK() instead of IF_AFDATA_LOCK() when doing
lla_lookup() without LLE_CREATE flag.
MFC r260217:
Add IF_AFDATA_WLOCK_ASSERT() in case lla_lookup() is called with
LLE_CREATE flag.
|
|
|
|
|
|
| |
In sys/netinet6/in6_mcast.c, in6m_is_ifp_detached() is only used
whenever KTR is defined, so put it between #ifdef KTR guards. This
avoids a warning about a unused function if KTR is not enabled.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove a buggy comparision when setting manually the path MTU.
After fixing, the comparision would have become redundant.
Thanks to Andrew Galante for reporting the issue.
MFC r257272:
Fix compilation if SCTP_DONT_DO_PRIVADDR_SCOPE is defined.
The issue was reported by Andrew Galante.
MFC r257274:
Fix the value of *optlen when calling getsockopt() for
SCTP_REMOTE_UDP_ENCAPS_PORT.
This issue was reported by Andrew Galante.
MFC r257359:
Terminate a debug output with a \n.
MFC r257555:
Changes from upstream to improve compilation when INET or INET6
or none of them is defined.
MFC r257574:
Unlock the lock before destroying it.
This issue was reported by Andrew Galante.
MFC r257800:
Use htons()/ntohs() appropriately.
These issues were reported by Andrew Galante.
MFC r257803:
Make sure that we don't try to build an ASCONF-ACK chunk
larger than what fits in the the mbuf cluster.
This issue was reported by Andrew Galante.
MFC r257804:
Get rid of the artification limitation enforced by
SCTP_AUTH_RANDOM_SIZE_MAX.
This was suggested by Andrew Galante.
MFC r258221:
Cleanups which result in fixes which have been made upstream
and where partially suggested by Andrew Galante.
There is no functional change in FreeBSD.
MFC r258224:
When determining if an address belongs to an stcb, take the address family
into account for wildcard bound endpoints.
MFC r258228:
Remove a stray write operation.
MFC r258235:
Use SCTP_PR_SCTP_TTL when the user provides a positive
timetolive in sctp_sendmsg().
Approved by: re@
|
|
|
|
|
|
|
|
| |
Initialize inc_fibnum for properly handling ICMP6_PACKET_TOO_BIG
errors in multifib environment.
PR: 183265
Approved by: re (hrs)
|
|
|
|
|
|
| |
Tested by: hselasky
PR: usb/182820
Approved by: re (glebius)
|
|
|
|
|
|
| |
Submitted by: Loganaden Velvindron <logan elandsys.com>
Obtained from: NetBSD
Approved by: re (kib)
|