| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Add missing braces around MCAST_EXCLUDE check when KTR support is
compiled into the kernel
This ensures that .iss_asm (the number of ASM listeners) isn't incorrectly
decremented for MLD-layer source datagrams when inspecting im*s_st[1]
(the second state in the structure).
PR: 217509 [1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pf: Fix possible incorrect IPv6 fragmentation
When forwarding pf tracks the size of the largest fragment in a fragmented
packet, and refragments based on this size.
It failed to ensure that this size was a multiple of 8 (as is required for all
but the last fragment), so it could end up generating incorrect fragments.
For example, if we received an 8 byte and 12 byte fragment pf would emit a first
fragment with 12 bytes of payload and the final fragment would claim to be at
offset 8 (not 12).
We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so
other users won't make the same mistake.
Reported by: Antonios Atlasis <aatlasis at secfu net>
|
|
|
|
|
|
|
| |
When IPv6 fragments reassembly is complete, update mbuf's csum_data
and csum_flags using information from all fragments. This fixes
dropping of reassembled packets due to wrong checksum when the IPv6
checksum offloading is enabled on a network card.
|
|
|
|
|
| |
The main purpose of this MFC is to reduce conflicts for other merges.
Parts of the original change have already "trickled down" via individual MFCs.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r286227:
Decompose TCP INP_INFO lock to increase short-lived TCP connections scalability:
- The existing TCP INP_INFO lock continues to protect the global inpcb list
stability during full list traversal (e.g. tcp_pcblist()).
- A new INP_LIST lock protects inpcb list actual modifications (inp allocation
and free) and inpcb global counters.
It allows to use TCP INP_INFO_RLOCK lock in critical paths (e.g. tcp_input())
and INP_INFO_WLOCK only in occasional operations that walk all connections.
PR: 183659
Differential Revision: https://reviews.freebsd.org/D2599
Reviewed by: jhb, adrian
Tested by: adrian, nitroboost-gmail.com
Sponsored by: Verisign, Inc.
r286443:
Fix a kernel assertion issue introduced with r286227:
Avoid too strict INP_INFO_RLOCK_ASSERT checks due to
tcp_notify() being called from in6_pcbnotify().
Reported by: Larry Rosenman <ler@lerctr.org>
Submitted by: markj, jch
|
|
|
|
| |
Use Node Information flag names instead of hard-coding their values.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
296063:
Lock the NDP default router list and count defrouter references.
This addresses a number of race conditions that can cause crashes as a
result of unsynchronized access to the list.
297397
Modify nd6_llinfo_timer() to acquire the nd6 lock before the LLE lock.
When expiring a neighbour cache entry we may need to look up the associated
default router, which requires the nd6 read lock. To avoid an LOR, the nd6
lock should be acquired first.
299213
Clean up callers of nd6_prelist_add().
nd6_prelist_add() sets *newp if and only if it is successful, so there's no
need for code that handles the case where the return value is 0 and
*newp == NULL. Fix some style bugs in nd6_prelist_add() while here.
Submitted by: Jason Wolfe <j@nitrology.com>
|
|
|
|
|
|
|
| |
NDP code cleanup changes.
MFC r295732:
Fix an IPv6 DAD reference count leak.
|
|
|
|
| |
Various NDP cleanups. No functional change intended.
|
|
|
|
|
| |
Change in6_selectsrc() to allow usage of non-local IPv6 addresses in
IPV6_PKTINFO ancillary data when IPV6_BINDANY socket option is set.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Loopback addresses are 127.0.0.0/8, not 127.0.0.1/32.
MFC r295668:
Improve the teardown of the SCTP stack.
MFC r295670:
Whitespace changes.
MFC r295708:
Address a warning reported by D5245 / PVS.
MFC r295709:
Code cleanup which will silence a warning in PVS / D5245.
MFC r295710:
Add protection code for issues reported by PVS / D5245.
MFC r295771:
Fix reporting of mapped addressed in getpeername() and getsockname() for
IPv6 SCTP sockets.
This bugs were found because of an issue reported by PVS / D5245.
MFC r295772:
Add some protection code.
MFC r295773:
Add protection code.
MFC r295805:
Use the SCTP level pointer, not the interface level.
MFC r295929:
Don't leak an address in an error path.
Approved by: re (marius)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since r256624 (head) we have been leaking routing table allocations
on vnet enabled jail shutdown. Call the provided cleanup
routines for IP versions 4 and 6 to plug these leaks.
Sponsored by: The FreeBSD Foundation
Reviewed by: gnn
Differential Revision:https://reviews.freebsd.org/D4530
Approved by: re (gjb)
|
|
|
|
|
|
| |
This code is not in modules that need KPI stability so no need to use
the wrapper functions as used in r252511 (head). We can directly use
the locking macros.
|
|
|
|
|
|
|
|
|
| |
Fix the allocation of outgoing streams:
* When processing a cookie, use the number of
streams announced in the INIT-ACK.
* When sending an INIT-ACK for an existing
association, use the value from the association,
not from the end-point.
|
|
|
|
|
|
| |
Move including netinet/icmp6.h around to avoid a problem when including
netinet/icmp6.h and net/netmap.h. Both use ni_flags...
This allows to build multistack with SCTP support.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux]
o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux]
o Fix TCP MD5 signature denial of service. [SA-16:05.tcp]
o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]
Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security: FreeBSD-SA-16:03.linux, CVE-2016-1880
Security: FreeBSD-SA-16:04.linux, CVE-2016-1881
Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677
|
|
|
|
|
|
|
|
|
|
|
| |
in6_if2idlen: treat bridge(4) interfaces like other Ethernet interfaces
bridge(4) interfaces have an if_type of IFT_BRIDGE, rather than
IFT_ETHER, even though they only support Ethernet-style links. This
caused in6_if2idlen to emit an "unknown link type (209)" warning to
the console every time it was called. Add IFT_BRIDGE to the case
statement in the appropriate place, indicating that it uses the same
IPv6 address format as other Ethernet-like interfaces.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
inet6: Do not assume every interface has ip6 enabled.
Certain interfaces (e.g. pfsync0) do not have ip6 addresses (in other words,
ifp->if_afdata[AF_INET6] is NULL). Ensure we don't panic when the MTU is
updated.
pfsync interfaces will never have ip6 support, because it's explicitly disabled
in in6_domifattach().
PR: 205194
|
|
|
|
| |
(this is derect commit to stable/10)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mld_v2_dispatch_general_query() is used by mld_fasttimo_vnet() to send
a reply to the MLDv2 General Query. In case when router has a lot of
multicast groups, the reply can take several packets due to MTU limitation.
Also we have a limit MLD_MAX_RESPONSE_BURST == 4, that limits the number
of packets we send in one shot. Then we recalculate the timer value and
schedule the remaining packets for sending.
The problem is that when we call mld_v2_dispatch_general_query() to send
remaining packets, we queue new reply in the same mbuf queue. And when
number of packets is bigger than MLD_MAX_RESPONSE_BURST, we get endless
reply of MLDv2 reports.
To fix this, add the check for remaining packets in the queue.
PR: 204831
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Schedule DAD for IN6_IFF_TENTATIVE addresses in nd6_timer(). This
catches cases that DAD probes cannot be sent because of
IFF_UP && !IFF_DRV_RUNNING.
- nd6_dad_starttimer() now calls nd6_dad_ns_output(), instead of
calling it before nd6_dad_starttimer().
- Do not release an entry in dadq when a duplicate entry is being
added.
|
|
|
|
|
|
|
| |
since original commit (r287094) is correct.
Approved by: loos
Sponsored by: Rubicon Communications (Netgate)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Deprecate IN6_IFF_NODAD. It was used to prevent DAD on a loopback
interface but in6if_do_dad() already had a check for IFF_LOOPBACK.
- Remove in6if_do_dad() check in in6_broadcast_ifa(). An address
which needs DAD always has IN6_IFF_TENTATIVE there.
- in6if_do_dad() now returns EAGAIN when the interface is not ready
since DAD callout handler ignores such an interface.
- In DAD callout handler, mark an address as IN6_IFF_TENTATIVE
when the interface has ND6_IFF_IFDISABLED. And Do IFF_UP and
IFF_DRV_RUNNING check consistently when DAD is required.
- draft-ietf-6man-enhanced-dad is now published as RFC 7527.
- Fix some typos.
|
|
|
|
| |
Remove obsolete API (SIOCGDRLST_IN6 and SIOCGPRLST_IN6) support.
|
|
|
|
| |
Do not add IN6_IFF_TENTATIVE when ND6_IFF_NO_DAD.
|
|
|
|
| |
Remove IN6_IFF_NOPFX. This flag was no longer used.
|
|
|
|
| |
Invoke LLE event handler when entry is deleted.
|
|
|
|
|
|
|
|
|
|
| |
- Remove ND6_IFF_IGNORELOOP. This functionality was useless in practice
because a link where looped back NS messages are permanently observed
does not work with either NDP or ARP for IPv4.
- draft-ietf-6man-enhanced-dad is now RFC 7527.
Approved by: re (gjb)
|
|
|
|
|
|
|
| |
Fix a bug which prevented ND6_IFF_IFDISABLED flag from clearing when
the newly-added IPv6 address was /128.
Approved by: re (gjb)
|
|
|
|
|
|
|
| |
Add FIB support for SCTP.
This fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200379
PR: 200379
|
|
|
|
|
|
|
|
|
|
|
| |
Evaluate packet size after the firewall had its chance
Defer the packet size check until after the firewall has had a look at it. This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.
Differential Revision: https://reviews.freebsd.org/D2821
Reviewed by: gnn
|
|
|
|
|
|
|
|
|
|
|
| |
Remove duplicate code
We'll just fall into the same local delivery block under the
'if (m->m_flags & M_FASTFWD_OURS)'.
Suggested by: ae
Differential Revision: https://reviews.freebsd.org/D2820
Reviewed by: gnn
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Preserve IPv6 fragment IDs accross reassembly and refragmentation
When forwarding fragmented IPv6 packets and filtering with PF we
reassemble and refragment. That means we generate new fragment headers
and a new fragment ID.
We already save the fragment IDs so we can do the reassembly so it's
straightforward to apply the incoming fragment ID on the refragmented
packets.
Differential Revision: https://reviews.freebsd.org/D2817
Reviewed by: gnn
|
|
|
|
|
|
|
| |
Factor out ip6_fragment() function, to be used in IPv6 stack and pf(4).
Differential Revision: https://reviews.freebsd.org/D2815
Reviewed by: gnn
|
|
|
|
|
|
|
|
| |
- Factor out ip6_deletefraghdr() function, to be shared between IPv6 stack and pf(4).
- Move ip6_deletefraghdr() to frag6.c. (Suggested by bz)
Differential Revision: https://reviews.freebsd.org/D2813
Reviewed by: gnn
|
|
|
|
|
|
|
|
|
|
| |
Remove in_gif.h and in6_gif.h files. They only contain function
declarations used by gif(4). Instead declare these functions in C files.
Also make some variables static.
MFC r276215:
Extern declarations in C files loses compile-time checking that
the functions' calls match their definitions. Move them to header files.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Overhaul if_gre(4).
Split it into two modules: if_gre(4) for GRE encapsulation and
if_me(4) for minimal encapsulation within IP.
gre(4) changes:
* convert to if_transmit;
* rework locking: protect access to softc with rmlock,
protect from concurrent ioctls with sx lock;
* correct interface accounting for outgoing datagramms (count only payload size);
* implement generic support for using IPv6 as delivery header;
* make implementation conform to the RFC 2784 and partially to RFC 2890;
* add support for GRE checksums - calculate for outgoing datagramms and check
for inconming datagramms;
* add support for sending sequence number in GRE header;
* remove support of cached routes. This fixes problem, when gre(4) doesn't
work at system startup. But this also removes support for having tunnels with
the same addresses for inner and outer header.
* deprecate support for various GREXXX ioctls, that doesn't used in FreeBSD.
Use our standard ioctls for tunnels.
me(4):
* implementation conform to RFC 2004;
* use if_transmit;
* use the same locking model as gre(4);
PR: 164475
MFC r274289 (by bz):
gcc requires variables to be initialised in two places. One of them
is correctly used only under the same conditional though.
For module builds properly check if the kernel supports INET or INET6,
as otherwise various mips kernels without IPv6 support would fail to build.
MFC r274964:
Add ip_gre.h to ObsoleteFiles.inc.
|
|
|
|
|
|
| |
This is direct commit to stable/10.
Tested by: tuexen@
|
|
|
|
|
|
|
|
|
|
| |
Remove route chaching support from ipsec code. It isn't used for some time.
* remove sa_route_union declaration and route_cache member from struct secashead;
* remove key_sa_routechange() call from ICMP and ICMPv6 code;
* simplify ip_ipsec_mtu();
* remove #include <net/route.h>;
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
|
|
|
| |
Add an ability accept encapsulated packets from different sources by one
gif(4) interface. Add new option "ignore_source" for gif(4) interface.
When it is enabled, gif's encapcheck function requires match only for
packet's destination address.
Differential Revision: https://reviews.freebsd.org/D2004
Sponsored by: Yandex LLC
|
|
|
|
|
| |
Fix and cleanup the debug information. This has no user-visible changes.
Thanks to Irene Ruengeler for proving a patch.
|
|
|
|
|
| |
Minimize the usage of SCTP_BUF_IS_EXTENDED.
This should help Robert...
|
|
|
|
|
|
|
| |
Plug a memory leak in an error code path.
Reported by: Coverity
CID: 1018936
|
|
|
|
|
|
|
|
| |
Mark data checksum as valid for multicast packets, that we send back
to myself via simloop.
Also remove duplicate check under #ifdef DIAGNOSTIC.
PR: 180065
|
|
|
|
|
|
|
| |
Remove VNET_SYSCTL_ARG(). The generic sysctl(9) code handles that.
A panic could occur by "sysctl -a" when using VIMAGE-enabled stable/10
kernel after r262734 because of this missing MFC.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r276844, r276847, r279531, r279559, r279564, r279676
A bunch of IPv6 fixes by melifaro, hrs and ae
Major changes:
Simplify nd6_output_lle()
Add refcounting to DAD and fix races and other errors
Implement Enhanced DAD algorithm for IPv6
Suggested by: ae
Tested by: Jason Wolfe <j at nitrology.com>
Sponsored by: Limelight Networks
|
|
|
|
| |
Fix a possible refcount leak in regen_tmpaddr().
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r275358:
Start process of removing the use of the deprecated "M_FLOWID" flag
from the FreeBSD network code. The flag is still kept around in the
"sys/mbuf.h" header file, but does no longer have any users. Instead
the "m_pkthdr.rsstype" field in the mbuf structure is now used to
decide the meaning of the "m_pkthdr.flowid" field. To modify the
"m_pkthdr.rsstype" field please use the existing "M_HASHTYPE_XXX"
macros as defined in the "sys/mbuf.h" header file.
This patch introduces new behaviour in the transmit direction.
Previously network drivers checked if "M_FLOWID" was set in "m_flags"
before using the "m_pkthdr.flowid" field. This check has now now been
replaced by checking if "M_HASHTYPE_GET(m)" is different from
"M_HASHTYPE_NONE". In the future more hashtypes will be added, for
example hashtypes for hardware dedicated flows.
"M_HASHTYPE_OPAQUE" indicates that the "m_pkthdr.flowid" value is
valid and has no particular type. This change removes the need for an
"if" statement in TCP transmit code checking for the presence of a
valid flowid value. The "if" statement mentioned above is now a direct
variable assignment which is then later checked by the respective
network drivers like before.
r275483:
Remove M_FLOWID from SCTP code.
r276982:
Remove no longer used "M_FLOWID" flag from mbuf.h and update the netisr
manpage.
Note: The FreeBSD version has been bumped.
Reviewed by: hps, tuexen
Sponsored by: Limelight Networks
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the IPV6_MULTICAST_IF sockopt handling. RFC 3493 says when the
interface index is specified as zero, the system should select the
interface to use for outgoing multicast packets. Even the comment
for the in6p_set_multicast_if() function says about index of zero.
But in fact for zero index the function just returns EADDRNOTAVAIL.
I.e. if you first set some interface and then will try reset it
with zero ifindex, you will get EADDRNOTAVAIL.
Reset im6o_multicast_ifp to NULL when interface index specified as
zero. Also return EINVAL in case when ifnet_byindex() returns NULL.
This will be the same behaviour as when ifindex is bigger than
V_if_index. And return EADDRNOTAVAIL only when interface is not
multicast capable.
|
|
|
|
|
|
| |
Skip L2 addresses lookups for tunneling interfaces.
PR: 197286
|