summaryrefslogtreecommitdiffstats
path: root/sys/netinet6
Commit message (Collapse)AuthorAgeFilesLines
* Merge remote-tracking branch 'origin/stable/10' into develRenato Botelho2015-11-112-19/+47
|\
| * MFC r288600:hrs2015-11-042-19/+47
| | | | | | | | | | | | | | | | | | | | | | | | - Schedule DAD for IN6_IFF_TENTATIVE addresses in nd6_timer(). This catches cases that DAD probes cannot be sent because of IFF_UP && !IFF_DRV_RUNNING. - nd6_dad_starttimer() now calls nd6_dad_ns_output(), instead of calling it before nd6_dad_starttimer(). - Do not release an entry in dadq when a duplicate entry is being added.
* | MFC r282046:Luiz Otavio O Souza2015-10-202-9/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix possible use after free due to security policy deletion. When we are passing mbuf to IPSec processing via ipsec[46]_process_packet(), we hold one reference to security policy and release it just after return from this function. But IPSec processing can be deffered and when we release reference to security policy after ipsec[46]_process_packet(), user can delete this security policy from SPDB. And when IPSec processing will be done, xform's callback function will do access to already freed memory. To fix this move KEY_FREESP() into callback function. Now IPSec code will release reference to SP after processing will be finished. Differential Revision: https://reviews.freebsd.org/D2324 No objections from: #network Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275716:Luiz Otavio O Souza2015-10-202-3/+0
| | | | | | | | | | | | | | | | | | | | | | Do not count security policy violation twice. ipsec*_in_reject() do this by their own. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275715:Luiz Otavio O Souza2015-10-202-49/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use ipsec6_in_reject() to simplify ip6_ipsec_fwd() and ip6_ipsec_input(). ipsec6_in_reject() does the same things, also it counts policy violation errors. Do IPSEC check in the ip6_forward() after addresses checks. Also use ip6_ipsec_fwd() to make code similar to IPv4 implementation. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275710:Luiz Otavio O Souza2015-10-204-12/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove flag/flags argument from the following functions: ipsec_getpolicybyaddr() ipsec4_checkpolicy() ip_ipsec_output() ip6_ipsec_output() The only flag used here was IP_FORWARDING. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275704:Luiz Otavio O Souza2015-10-201-24/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move ip_ipsec_fwd() from ip_input() into ip_forward(). Remove check for presence PACKET_TAG_IPSEC_IN_DONE mbuf tag from ip_ipsec_fwd(). PACKET_TAG_IPSEC_IN_DONE tag means that packet is already handled by IPSEC code. This means that before IPSEC processing it was destined to our address and security policy was checked in the ip_ipsec_input(). After IPSEC processing packet has new IP addresses and destination address isn't our own. So, anyway we can't check security policy from the mbuf tag, because it corresponds to different addresses. We should check security policy that corresponds to packet attributes in both cases - when it has a mbuf tag and when it has not. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275703:Luiz Otavio O Souza2015-10-201-21/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its security policy. The changed block of code in ip*_ipsec_input() is called when packet has ESP/AH header. Presence of PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that packet was already handled by IPSEC and reinjected in the netisr, and it has another ESP/AH headers (encrypted twice?). Since it was already processed by IPSEC code, the AH/ESP headers was already stripped (and probably outer IP header was stripped too) and security policy from the tdb_ident was applied to those headers. It is incorrect to apply this security policy to current headers. Also make ip_ipsec_input() prototype similar to ip6_ipsec_input(). Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275702:Luiz Otavio O Souza2015-10-201-47/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove check for presence of PACKET_TAG_IPSEC_PENDING_TDB and PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED mbuf tags. They aren't used in FreeBSD. Instead check presence of PACKET_TAG_IPSEC_OUT_DONE mbuf tag. If it is found, bypass security policy lookup as described in the comment. PACKET_TAG_IPSEC_OUT_DONE tag added to mbuf when IPSEC code finishes ESP/AH processing. Since it was already finished, this means the security policy placed in the tdb_ident was already checked. And there is no reason to check it again here. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r272299:Luiz Otavio O Souza2015-10-201-11/+4
| | | | | | | | | | | | | | | | | | | | Remove redundant call to ipsec_getpolicybyaddr(). ipsec_hdrsiz() will call it internally. Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | Revert IPSEC patches.Luiz Otavio O Souza2015-10-202-57/+47
| | | | | | | | | | | | | | | | | | Revert "Importing pfSense patch IPSEC_sysctl.RELENG_10.diff" This reverts commit 1a5bcc816de96758225aa0a4d2b5ddc7b88b6b58. TAG: IPSEC-HEAD Issue: #4841
* | Merge branch 'stable/10' into develRenato Botelho2015-10-071-1/+1
|\ \ | |/
| * Remove extra space introduced in r287734. This is a stable/10 only fixgarga2015-09-221-1/+1
| | | | | | | | | | | | | | since original commit (r287094) is correct. Approved by: loos Sponsored by: Rubicon Communications (Netgate)
* | Merge branch 'stable/10' into develRenato Botelho2015-09-225-142/+47
|\ \ | |/
| * MFC 287094:hrs2015-09-134-18/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Deprecate IN6_IFF_NODAD. It was used to prevent DAD on a loopback interface but in6if_do_dad() already had a check for IFF_LOOPBACK. - Remove in6if_do_dad() check in in6_broadcast_ifa(). An address which needs DAD always has IN6_IFF_TENTATIVE there. - in6if_do_dad() now returns EAGAIN when the interface is not ready since DAD callout handler ignores such an interface. - In DAD callout handler, mark an address as IN6_IFF_TENTATIVE when the interface has ND6_IFF_IFDISABLED. And Do IFF_UP and IFF_DRV_RUNNING check consistently when DAD is required. - draft-ietf-6man-enhanced-dad is now published as RFC 7527. - Fix some typos.
| * MFC 287095, 287610, 287611, 287617:hrs2015-09-133-114/+22
| | | | | | | | Remove obsolete API (SIOCGDRLST_IN6 and SIOCGPRLST_IN6) support.
| * MFC 287609:hrs2015-09-131-4/+6
| | | | | | | | Do not add IN6_IFF_TENTATIVE when ND6_IFF_NO_DAD.
| * MFC 287608:hrs2015-09-132-6/+0
| | | | | | | | Remove IN6_IFF_NOPFX. This flag was no longer used.
* | Importing pfSense patch IPSEC_sysctl.RELENG_10.diffRenato Botelho2015-08-172-47/+57
| |
* | Importing pfSense patch pfil.RELENG_10.diffRenato Botelho2015-08-171-0/+4
|/
* MFC r285710:ae2015-08-051-0/+1
| | | | Invoke LLE event handler when entry is deleted.
* MFC r282805:hrs2015-07-232-16/+4
| | | | | | | | | | - Remove ND6_IFF_IGNORELOOP. This functionality was useless in practice because a link where looped back NS messages are permanently observed does not work with either NDP or ARP for IPv4. - draft-ietf-6man-enhanced-dad is now RFC 7527. Approved by: re (gjb)
* MFC r273992:hrs2015-07-231-26/+24
| | | | | | | Fix a bug which prevented ND6_IFF_IFDISABLED flag from clearing when the newly-added IPv6 address was /128. Approved by: re (gjb)
* MFC r284515:tuexen2015-06-201-1/+3
| | | | | | | Add FIB support for SCTP. This fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200379 PR: 200379
* Merge r281234kp2015-06-181-40/+41
| | | | | | | | | | | Evaluate packet size after the firewall had its chance Defer the packet size check until after the firewall has had a look at it. This means that the firewall now has the opportunity to (re-)fragment an oversized packet. Differential Revision: https://reviews.freebsd.org/D2821 Reviewed by: gnn
* Merge r281165kp2015-06-181-15/+2
| | | | | | | | | | | Remove duplicate code We'll just fall into the same local delivery block under the 'if (m->m_flags & M_FASTFWD_OURS)'. Suggested by: ae Differential Revision: https://reviews.freebsd.org/D2820 Reviewed by: gnn
* Merge r280955kp2015-06-182-4/+6
| | | | | | | | | | | | | | | Preserve IPv6 fragment IDs accross reassembly and refragmentation When forwarding fragmented IPv6 packets and filtering with PF we reassemble and refragment. That means we generate new fragment headers and a new fragment ID. We already save the fragment IDs so we can do the reassembly so it's straightforward to apply the incoming fragment ID on the refragmented packets. Differential Revision: https://reviews.freebsd.org/D2817 Reviewed by: gnn
* Merge r278842kp2015-06-182-48/+64
| | | | | | | Factor out ip6_fragment() function, to be used in IPv6 stack and pf(4). Differential Revision: https://reviews.freebsd.org/D2815 Reviewed by: gnn
* Merge r278828, r278832kp2015-06-182-19/+33
| | | | | | | | - Factor out ip6_deletefraghdr() function, to be shared between IPv6 stack and pf(4). - Move ip6_deletefraghdr() to frag6.c. (Suggested by bz) Differential Revision: https://reviews.freebsd.org/D2813 Reviewed by: gnn
* MFC r276148:ae2015-06-063-53/+5
| | | | | | | | | | Remove in_gif.h and in6_gif.h files. They only contain function declarations used by gif(4). Instead declare these functions in C files. Also make some variables static. MFC r276215: Extern declarations in C files loses compile-time checking that the functions' calls match their definitions. Move them to header files.
* MFC r274246:ae2015-06-062-0/+163
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Overhaul if_gre(4). Split it into two modules: if_gre(4) for GRE encapsulation and if_me(4) for minimal encapsulation within IP. gre(4) changes: * convert to if_transmit; * rework locking: protect access to softc with rmlock, protect from concurrent ioctls with sx lock; * correct interface accounting for outgoing datagramms (count only payload size); * implement generic support for using IPv6 as delivery header; * make implementation conform to the RFC 2784 and partially to RFC 2890; * add support for GRE checksums - calculate for outgoing datagramms and check for inconming datagramms; * add support for sending sequence number in GRE header; * remove support of cached routes. This fixes problem, when gre(4) doesn't work at system startup. But this also removes support for having tunnels with the same addresses for inner and outer header. * deprecate support for various GREXXX ioctls, that doesn't used in FreeBSD. Use our standard ioctls for tunnels. me(4): * implementation conform to RFC 2004; * use if_transmit; * use the same locking model as gre(4); PR: 164475 MFC r274289 (by bz): gcc requires variables to be initialised in two places. One of them is correctly used only under the same conditional though. For module builds properly check if the kernel supports INET or INET6, as otherwise various mips kernels without IPv6 support would fail to build. MFC r274964: Add ip_gre.h to ObsoleteFiles.inc.
* Rework r281868 to not skip RTM announces for tunneling interfaces.ae2015-06-051-22/+21
| | | | | | This is direct commit to stable/10. Tested by: tuexen@
* MFC r275392:ae2015-06-022-10/+0
| | | | | | | | | | Remove route chaching support from ipsec code. It isn't used for some time. * remove sa_route_union declaration and route_cache member from struct secashead; * remove key_sa_routechange() call from ICMP and ICMPv6 code; * simplify ip_ipsec_mtu(); * remove #include <net/route.h>; Sponsored by: Yandex LLC
* MFC r282965:ae2015-05-311-3/+9
| | | | | | | | | | Add an ability accept encapsulated packets from different sources by one gif(4) interface. Add new option "ignore_source" for gif(4) interface. When it is enabled, gif's encapcheck function requires match only for packet's destination address. Differential Revision: https://reviews.freebsd.org/D2004 Sponsored by: Yandex LLC
* MFC r283650:tuexen2015-05-311-2/+4
| | | | | Fix and cleanup the debug information. This has no user-visible changes. Thanks to Irene Ruengeler for proving a patch.
* MFC r276914:tuexen2015-05-291-7/+1
| | | | | Minimize the usage of SCTP_BUF_IS_EXTENDED. This should help Robert...
* MFC r275868:tuexen2015-05-291-1/+4
| | | | | | | Plug a memory leak in an error code path. Reported by: Coverity CID: 1018936
* MFC r282578:ae2015-05-141-9/+5
| | | | | | | | Mark data checksum as valid for multicast packets, that we send back to myself via simloop. Also remove duplicate check under #ifdef DIAGNOSTIC. PR: 180065
* MFC r274223 (by glebius):hrs2015-05-121-4/+0
| | | | | | | Remove VNET_SYSCTL_ARG(). The generic sysctl(9) code handles that. A panic could occur by "sysctl -a" when using VIMAGE-enabled stable/10 kernel after r262734 because of this missing MFC.
* MFC r261708, r261847, r268525, r274316, r274347, r275593,hiren2015-05-084-416/+448
| | | | | | | | | | | | | | | r276844, r276847, r279531, r279559, r279564, r279676 A bunch of IPv6 fixes by melifaro, hrs and ae Major changes: Simplify nd6_output_lle() Add refcounting to DAD and fix races and other errors Implement Enhanced DAD algorithm for IPv6 Suggested by: ae Tested by: Jason Wolfe <j at nitrology.com> Sponsored by: Limelight Networks
* MFC r281483:markj2015-05-051-4/+3
| | | | Fix a possible refcount leak in regen_tmpaddr().
* MFC r275358 r275483 r276982 - Removing M_FLOWID by hps@hiren2015-04-241-9/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | r275358: Start process of removing the use of the deprecated "M_FLOWID" flag from the FreeBSD network code. The flag is still kept around in the "sys/mbuf.h" header file, but does no longer have any users. Instead the "m_pkthdr.rsstype" field in the mbuf structure is now used to decide the meaning of the "m_pkthdr.flowid" field. To modify the "m_pkthdr.rsstype" field please use the existing "M_HASHTYPE_XXX" macros as defined in the "sys/mbuf.h" header file. This patch introduces new behaviour in the transmit direction. Previously network drivers checked if "M_FLOWID" was set in "m_flags" before using the "m_pkthdr.flowid" field. This check has now now been replaced by checking if "M_HASHTYPE_GET(m)" is different from "M_HASHTYPE_NONE". In the future more hashtypes will be added, for example hashtypes for hardware dedicated flows. "M_HASHTYPE_OPAQUE" indicates that the "m_pkthdr.flowid" value is valid and has no particular type. This change removes the need for an "if" statement in TCP transmit code checking for the presence of a valid flowid value. The "if" statement mentioned above is now a direct variable assignment which is then later checked by the respective network drivers like before. r275483: Remove M_FLOWID from SCTP code. r276982: Remove no longer used "M_FLOWID" flag from mbuf.h and update the netisr manpage. Note: The FreeBSD version has been bumped. Reviewed by: hps, tuexen Sponsored by: Limelight Networks
* MFC r281380:ae2015-04-241-5/+9
| | | | | | | | | | | | | | | | | Fix the IPV6_MULTICAST_IF sockopt handling. RFC 3493 says when the interface index is specified as zero, the system should select the interface to use for outgoing multicast packets. Even the comment for the in6p_set_multicast_if() function says about index of zero. But in fact for zero index the function just returns EADDRNOTAVAIL. I.e. if you first set some interface and then will try reset it with zero ifindex, you will get EADDRNOTAVAIL. Reset im6o_multicast_ifp to NULL when interface index specified as zero. Also return EINVAL in case when ifnet_byindex() returns NULL. This will be the same behaviour as when ifindex is bigger than V_if_index. And return EADDRNOTAVAIL only when interface is not multicast capable.
* MFC r274988 (with modification):ae2015-04-222-3/+2
| | | | | | Skip L2 addresses lookups for tunneling interfaces. PR: 197286
* MFC r281309:ae2015-04-221-14/+6
| | | | | | | | | | Fix the check for maximum mbuf's size needed to send ND6 NA and NS. It is acceptable that the size can be equal to MCLBYTES. In the later KAME's code this check has been moved under DIAGNOSTIC ifdef, because the size of NA and NS is much smaller than MCLBYTES. So, it is safe to replace the check with KASSERT. PR: 199304
* Improve patch for SA-15:04.igmp to solve a potential buffer overflow.delphij2015-04-071-2/+10
| | | | | | | | Fix multiple vulnerabilities of ntp. [SA-15:07] Fix bsdinstall(8) insecure default GELI keyfile permissions. [SA-15:08] Fix Denial of Service with IPv6 Router Advertisements. [SA-15:09]
* MFC r280236:ae2015-03-261-1/+1
| | | | | To avoid a possible race, release the reference to ifa after return from nd6_dad_na_input().
* MFC r279588:ae2015-03-124-36/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fix deadlock in IPv6 PCB code. When several threads are trying to send datagram to the same destination, but fragmentation is disabled and datagram size exceeds link MTU, ip6_output() calls pfctlinput2(PRC_MSGSIZE). It does notify all sockets wanted to know MTU to this destination. And since all threads hold PCB lock while sending, taking the lock for each PCB in the in6_pcbnotify() leads to deadlock. RFC 3542 p.11.3 suggests notify all application wanted to receive IPV6_PATHMTU ancillary data for each ICMPv6 packet too big message. But it doesn't require this, when we don't receive ICMPv6 message. Change ip6_notify_pmtu() function to be able use it directly from ip6_output() to notify only one socket, and to notify all sockets when ICMPv6 packet too big message received. MFC r279684: tcp6_ctlinput() doesn't pass MTU value to in6_pcbnotify(). Check cmdarg isn't NULL before dereference, this check was in the ip6_notify_pmtu() before r279588. PR: 197059 Sponsored by: Yandex LLC
* MFC of r278472rrs2015-02-152-4/+22
| | | | | | | | | | | | | | | | | | | | This fixes a bug in the way that the LLE timers for nd6 and arp were being used. They basically would pass in the mutex to the callout_init. Because they used this method to the callout system, it was possible to "stop" the callout. When flushing the table and you stopped the running callout, the callout_stop code would return 1 indicating that it was going to stop the callout (that was about to run on the callout_wheel blocked by the function calling the stop). Now when 1 was returned, it would lower the reference count one extra time for the stopped timer, then a few lines later delete the memory. Of course the callout_wheel was stuck in the lock code and would then crash since it was accessing freed memory. By using callout_init(c, 1) we always get a 0 back and the reference counting bug does not rear its head. We do have to make a few adjustments to the callouts themselves though to make sure it does the proper thing if rescheduled as well as gets the lock. Sponsored by: Netflix Inc.
* MFC r278268:ae2015-02-121-1/+2
| | | | Print IPv6 address in log message instead of address of pointer.
OpenPOWER on IntegriCloud