summaryrefslogtreecommitdiffstats
path: root/sys/netinet
Commit message (Collapse)AuthorAgeFilesLines
...
* Spell types consistently throughout this file. Do not use the __packed ↵bms2004-02-161-4/+4
| | | | | | attribute, as we are often #include'd from userland without <sys/cdefs.h> in front of us, and it is not strictly necessary. Noticed by: Sascha Blank
* Final brucification pass. Spell types consistently (u_int). Remove bogusbms2004-02-143-3/+3
| | | | | | casts. Remove unnecessary parenthesis. Submitted by: bde
* Do not expose ip_dn_find_rule inline function to userland and unbreak world.mlaier2004-02-131-1/+1
| | | | ----------------------------------------------------------------------
* Do not check receive interface when pfil(9) hook changed address.mlaier2004-02-131-1/+1
| | | | Approved by: bms(mentor)
* This set of changes eliminates the use of MT_TAG "pseudo mbufs", replacingmlaier2004-02-1314-396/+453
| | | | | | | | | | | them mostly with packet tags (one case is handled by using an mbuf flag since the linkage between "caller" and "callee" is direct and there's no need to incur the overhead of a packet tag). This is (mostly) work from: sam Silence from: -arch Approved by: bms(mentor), sam, rwatson
* Brucification.bms2004-02-138-38/+43
| | | | Submitted by: bde
* supported IPV6_RECVPATHMTU socket option.ume2004-02-132-4/+4
| | | | Obtained from: KAME
* Update the prototype for tcpsignature_apply() to reflect the spelling ofbms2004-02-123-5/+5
| | | | | | the types used by m_apply()'s callback function, f, as documented in mbuf(9). Noticed by: njl
* style(9) pass; whitespace and comments.bms2004-02-123-40/+48
| | | | Submitted by: njl
* Remove an unnecessary initialization that crept in from the code whichbms2004-02-122-4/+2
| | | | | | verifies TCP-MD5 digests. Noticed by: njl
* Fix a typo; left out preprocessor conditional for sigoff variable, whichbms2004-02-111-0/+2
| | | | | | is only used by TCP_SIGNATURE code. Noticed by: Roop Nanuwa
* Initial import of RFC 2385 (TCP-MD5) digest support.bms2004-02-1111-2/+397
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the first of two commits; bringing in the kernel support first. This can be enabled by compiling a kernel with options TCP_SIGNATURE and FAST_IPSEC. For the uninitiated, this is a TCP option which provides for a means of authenticating TCP sessions which came into being before IPSEC. It is still relevant today, however, as it is used by many commercial router vendors, particularly with BGP, and as such has become a requirement for interconnect at many major Internet points of presence. Several parts of the TCP and IP headers, including the segment payload, are digested with MD5, including a shared secret. The PF_KEY interface is used to manage the secrets using security associations in the SADB. There is a limitation here in that as there is no way to map a TCP flow per-port back to an SPI without polluting tcpcb or using the SPD; the code to do the latter is unstable at this time. Therefore this code only supports per-host keying granularity. Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6), TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective users of this feature, this will not pose any problem. This implementation is output-only; that is, the option is honoured when responding to a host initiating a TCP session, but no effort is made [yet] to authenticate inbound traffic. This is, however, sufficient to interwork with Cisco equipment. Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with local patches. Patches for tcpdump to validate TCP-MD5 sessions are also available from me upon request. Sponsored by: sentex.net
* pass pcb rather than so. it is expected that per socket policyume2004-02-036-21/+8
| | | | works again.
* Add sysctl net.inet.icmp.reply_src to specify the interface nameandre2004-02-021-0/+19
| | | | | | | | used for the ICMP reply source in reponse to packets which are not directly addressed to us. By default continue with with normal source selection. Reviewed by: bms
* More verbose description of the source ip address selection for ICMP replies.andre2004-02-021-5/+16
| | | | Reviewed by: bms
* Introduce the SO_BINTIME option which takes a high-resolution timestampphk2004-01-312-9/+20
| | | | | | | | | | | | at packet arrival. For benchmarking purposes SO_BINTIME is preferable to SO_TIMEVAL since it has higher resolution and lower overhead. Simultaneous use of the two options is possible and they will return consistent timestamps. This introduces an extra test and a function call for SO_TIMEVAL, but I have not been able to measure that.
* Remove NetBSD'isms (add FreeBSD'isms?), which makes gre(4) working again.sobomax2004-01-301-1/+1
|
* Correct the descriptions of the net.inet.{udp,raw}.recvspace sysctls.ru2004-01-272-2/+2
|
* Add support for WCCPv2. It should be enablem manually using link2sobomax2004-01-261-3/+6
| | | | | | | | ifconfig(8) flag since header for version 2 is the same but IP payload is prepended with additional 4-bytes field. Inspired by: Roman Synyuk <roman@univ.kiev.ua> MFC after: 2 weeks
* (whilespace-only)sobomax2004-01-261-3/+3
| | | | Kill trailing spaces.
* Remove leftover FREE() from changes in rev 1.50.andre2004-01-231-1/+0
| | | | Noticed by: Jun Kuriyama <kuriyama@imgsrc.co.jp>
* Split the overloaded variable 'win' into two for their specific purposes:andre2004-01-221-21/+22
| | | | | | | | recwin and sendwin. This removes a big source of confusion and makes following the code much easier. Reviewed by: sam (mentor) Obtained from: DragonFlyBSD rev 1.6 (hsu)
* Move the reduction by one of the syncache limit after the zone has beenandre2004-01-221-1/+1
| | | | | | | allocated. Reviewed by: sam (mentor) Obtained from: DragonFlyBSD rev 1.6 (hsu)
* Remove an unused variable and put the sockaddr_in6 onto the stack insteadandre2004-01-221-26/+14
| | | | | | | of malloc'ing it. Reviewed by: sam (mentor) Obtained from: DragonFlyBSD rev 1.6 (hsu)
* Merge from DragonFlyBSD rev 1.10:hsu2004-01-202-12/+10
| | | | | | | date: 2003/09/02 10:04:47; author: hsu; state: Exp; lines: +5 -6 Account for when Limited Transmit is not congestion window limited. Obtained from: DragonFlyBSD
* Mostly mechanical rework of libalias:phk2004-01-1716-737/+1071
| | | | | | | | | | | | Makes it possible to have multiple packet aliasing instances in a single process by moving all static and global variables into an instance structure called "struct libalias". Redefine a new API based on s/PacketAlias/LibAlias/g Add new "instance" argument to all functions in the new API. Implement old API in terms of the new API.
* do not deref freed pointerume2004-01-131-2/+2
| | | | | Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Reviewed by: itojun
* Disable the minmssoverload connection drop by default until the detectionandre2004-01-121-1/+1
| | | | logic is refined.
* Check that sa_len is the appropriate value in tcp_usr_bind(),truckman2004-01-101-0/+8
| | | | | | | | | | tcp6_usr_bind(), tcp_usr_connect(), and tcp6_usr_connect() before checking to see whether the address is multicast so that the proper errno value will be returned if sa_len is incorrect. The checks are identical to the ones in in_pcbbind_setup(), in6_pcbbind(), and in6_pcbladdr(), which are called after the multicast address check passes. MFC after: 30 days
* Reduce TCP_MINMSS default to 216. The AX.25 protocol (packet radio)andre2004-01-091-4/+3
| | | | | is frequently used with an MTU of 256 because of slow speeds and a high packet loss rate.
* Limiters and sanity checks for TCP MSS (maximum segement size)andre2004-01-088-4/+200
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | resource exhaustion attacks. For network link optimization TCP can adjust its MSS and thus packet size according to the observed path MTU. This is done dynamically based on feedback from the remote host and network components along the packet path. This information can be abused to pretend an extremely low path MTU. The resource exhaustion works in two ways: o during tcp connection setup the advertized local MSS is exchanged between the endpoints. The remote endpoint can set this arbitrarily low (except for a minimum MTU of 64 octets enforced in the BSD code). When the local host is sending data it is forced to send many small IP packets instead of a large one. For example instead of the normal TCP payload size of 1448 it forces TCP payload size of 12 (MTU 64) and thus we have a 120 times increase in workload and packets. On fast links this quickly saturates the local CPU and may also hit pps processing limites of network components along the path. This type of attack is particularly effective for servers where the attacker can download large files (WWW and FTP). We mitigate it by enforcing a minimum MTU settable by sysctl net.inet.tcp.minmss defaulting to 256 octets. o the local host is reveiving data on a TCP connection from the remote host. The local host has no control over the packet size the remote host is sending. The remote host may chose to do what is described in the first attack and send the data in packets with an TCP payload of at least one byte. For each packet the tcp_input() function will be entered, the packet is processed and a sowakeup() is signalled to the connected process. For example an attack with 2 Mbit/s gives 4716 packets per second and the same amount of sowakeup()s to the process (and context switches). This type of attack is particularly effective for servers where the attacker can upload large amounts of data. Normally this is the case with WWW server where large POSTs can be made. We mitigate this by calculating the average MSS payload per second. If it goes below 'net.inet.tcp.minmss' and the pps rate is above 'net.inet.tcp.minmssoverload' defaulting to 1000 this particular TCP connection is resetted and dropped. MITRE CVE: CAN-2004-0002 Reviewed by: sam (mentor) MFC after: 1 day
* If path mtu discovery is enabled set the DF bit in all cases weandre2004-01-082-0/+8
| | | | | | | | send packets on a tcp connection. PR: kern/60889 Tested by: Richard Wendland <richard@wendland.org.uk> Approved by: re (scottl)
* Do not set the ip_id to zero when DF is set on packet andandre2004-01-081-12/+6
| | | | | | | | | | | | | | restore the general pre-randomid behaviour. Setting the ip_id to zero causes several problems with packet reassembly when a device along the path removes the DF bit for some reason. Other BSD and Linux have found and fixed the same issues. PR: kern/60889 Tested by: Richard Wendland <richard@wendland.org.uk> Approved by: re (scottl)
* Enable the following TCP options by default to give it more exposure:andre2004-01-064-6/+6
| | | | | | | | | | | | rfc3042 Limited retransmit rfc3390 Increasing TCP's initial congestion Window inflight TCP inflight bandwidth limiting All my production server have it enabled and there have been no issues. I am confident about having them on by default and it gives us better overall TCP performance. Reviewed by: sam (mentor)
* According to RFC1812 we have to ignore ICMP redirects when weandre2004-01-061-1/+5
| | | | | | | | | | are acting as router (ipforwarding enabled). This doesn't fix the problem that host routes from ICMP redirects are never removed from the kernel routing table but removes the problem for machines doing packet forwarding. Reviewed by: sam (mentor)
* Document the net.inet.ip.subnets_are_local sysctl.ru2003-12-301-1/+1
|
* Sync with NetBSD:sobomax2003-12-301-22/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if_gre.c rev.1.41-1.49 o Spell output with two ts. o Remove assigned-to but not used variable. o fix grammatical error in a diagnostic message. o u_short -> u_int16_t. o gi_len is ip_len, so it has to be network byteorder. if_gre.h rev.1.11-1.13 o prototype must not have variable name. o u_short -> u_int16_t. o Spell address with two d's. ip_gre.c rev.1.22-1.29 o KNF - return is not a function. o The "osrc" variable in gre_mobile_input() is only ever set but not referenced; remove it. o correct (false) assumptions on mbuf chain. not sure if it really helps, but anyways, it is necessary to perform m_pullup. o correct arg to m_pullup (need to count IP header size as well). o remove redundant adjustment of m->m_pkthdr.len. o clear m_flags just for safety. o tabify. o u_short -> u_int16_t. MFC after: 2 weeks
* o eliminate widespread on-stack mbuf use for bpf by introducingsam2003-12-281-15/+3
| | | | | | | | | | | | | a new bpf_mtap2 routine that does the right thing for an mbuf and a variable-length chunk of data that should be prepended. o while we're sweeping the drivers, use u_int32_t uniformly when when prepending the address family (several places were assuming sizeof(int) was 4) o return M_ASSERTVALID to BPF_MTAP* now that all stack-allocated mbufs have been eliminated; this may better be moved to the bpf routines Reviewed by: arch@ and several others
* o Fix a comment: softticks lives in sys/kern/kern_timeout.c.maxim2003-12-271-1/+1
| | | | | | PR: kern/60613 Submitted by: Gleb Smirnoff MFC after: 3 days
* NULL is not 0.ume2003-12-241-1/+1
| | | | Submitted by: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
* I didn't notice it right away, but check the right length too.ru2003-12-231-1/+1
|
* Fix a problem introduced in revision 1.84: m_pullup() does notru2003-12-231-5/+7
| | | | | necessarily return the same mbuf chain so we need to recompute mtod() consumers after pulling up.
* Catch a few places where NULL (pointer) was used where 0 (integer) waspeter2003-12-231-5/+4
| | | | expected.
* o move mutex init/destroy logic to the module load/unload hooks;sam2003-12-201-11/+27
| | | | | | | | | | | | | | | | otherwise they are initialized twice when the code is statically configured in the kernel because the module load method gets invoked before the user application calls ip_mrouter_init o add a mutex to synchronize the module init/done operations; this sort of was done using the value of ip_mroute but X_ip_mrouter_done sets it to NULL very early on which can lead to a race against ip_mrouter_init--using the additional mutex means this is safe now o don't call ip_mrouter_reset from ip_mrouter_init; this now happens once at module load and X_ip_mrouter_done does the appropriate cleanup work to insure the data structures are in a consistent state so that a subsequent init operation inherits good state Reviewed by: juli
* Fix some becuase -> because typos.jhb2003-12-172-2/+2
| | | | Reported by: Marco Wertejuk <wertejuk@mwcis.com>
* Switch TCP over to using the inpcb label when responding in timedrwatson2003-12-172-8/+2
| | | | | | | | | | | | | | | | wait, rather than the socket label. This avoids reaching up to the socket layer during connection close, which requires locking changes. To do this, introduce MAC Framework entry point mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond() instead of calling mac_create_mbuf_from_socket() or mac_create_mbuf_netlayer(). Introduce MAC Policy entry point mpo_create_mbuf_from_inpcb(), and implementations for various policies, which generally just copy label data from the inpcb to the mbuf. Assert the inpcb lock in the entry point since we require consistency for the inpcb label reference. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* o IN_MULTICAST wants an address in host byte order.maxim2003-12-161-1/+1
| | | | | | PR: kern/60304 Submitted by: demon MFC after: 1 week
* Do not panic when flushing dummynet firewall rulesemax2003-12-061-1/+1
| | | | | Reviewed by: andre Approved by: re (scottl)
* Swap destination and source arguments of two bcopy() calls.andre2003-12-021-2/+2
| | | | | | | | | | | | Before committing the initial tcp_hostcache I changed them from memcpy() to conform with FreeBSD style without realizing the difference in argument definition. This fixes hostcache operation for IPv6 (in general and explicitly IPv6 path mtu discovery) and T/TCP (RFC1644). Submitted by: Taku YAMAMOTO <taku@cent.saitama-u.ac.jp> Approved by: re (rwatson)
* Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriatesam2003-12-021-0/+1
| | | | | | | | | | | | code is compiled in to support the O_IPSEC operator. Previously no support was included and ipsec rules were always matching. Note that we do not return an error when an ipsec rule is added and the kernel does not have IPsec support compiled in; this is done intentionally but we may want to revisit this (document this in the man page). PR: 58899 Submitted by: Bjoern A. Zeeb Approved by: re (rwatson)
OpenPOWER on IntegriCloud