| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
EALG_MAX_BLOCK_LEN.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
(already done in the non-error case).
CID: 4726
Found with: Coverity Prevent(tm)
MFC after: 1 week
|
| |
|
|
|
|
|
|
| |
You need to update userland (world and ports) tools
to be in sync with the kernel.
Submitted by: mlaier
Submitted by: eri
|
| |
|
|
|
|
| |
PR: 156676
Submitted by: Tobias Brunner (tobias@strongswan.org)
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c
to not need three different versions depending on INET, INET6 or both.
Mark two places preparing for not yet supported functionality with IPv6.
Reviewed by: gnn
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 4 days
|
| |
|
|
|
|
| |
Reviewed by: Tavis Ormandy (taviso cmpxchg8b.com)
MFC after: 5 days
Security: CVE-2011-1547
|
| |
|
|
|
|
|
|
|
|
| |
- Remove contention on ISR during the crypto operation by using rwlock(9).
- Remove a second lookup of the SA in the callback.
Gain on 6 cores CPU with SHA1/AES128 can be up to 30%.
Reviewed by: vanhu
MFC after: 1 month
|
| |
|
|
|
|
|
|
| |
- AH does not release the SA like in ESP/IPCOMP when handling EAGAIN
- ipsec_process_done incorrectly release the SA.
Reviewed by: vanhu
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
This will break interoperability with all older versions of
FreeBSD for those algorithms.
Reviewed by: bz, gnn
Obtained from: NETASQ
MFC after: 1w
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DPCPU_DEFINE and VNET_DEFINE macros, as these cause problems for various
people working on the affected files. A better long-term solution is
still being considered. This reversal may give some modules empty
set_pcpu or set_vnet sections, but these are harmless.
Changes reverted:
------------------------------------------------------------------------
r215318 | dim | 2010-11-14 21:40:55 +0100 (Sun, 14 Nov 2010) | 4 lines
Instead of unconditionally emitting .globl's for the __start_set_xxx and
__stop_set_xxx symbols, only emit them when the set_vnet or set_pcpu
sections are actually defined.
------------------------------------------------------------------------
r215317 | dim | 2010-11-14 21:38:11 +0100 (Sun, 14 Nov 2010) | 3 lines
Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout
the tree.
------------------------------------------------------------------------
r215316 | dim | 2010-11-14 21:23:02 +0100 (Sun, 14 Nov 2010) | 2 lines
Add macros to define static instances of VNET_DEFINE and DPCPU_DEFINE.
|
| |
|
|
| |
the tree.
|
| |
|
|
|
|
|
|
|
|
| |
feature_present(3) checks.
This will help to run-time detect and conditionally handle specific
optionas of either feature in user space (i.e. in libipsec).
Descriptions read by: rwatson
MFC after: 2 weeks
|
| | |
|
| |
|
|
|
|
|
|
|
| |
legacy and IPv6 route destination address.
Previously in case of IPv6, there was a memory overwrite due to not enough
space for the IPv6 address.
PR: kern/122565
MFC After: 2 weeks
|
| |
|
|
|
|
| |
assignment to a local variable not used anywhere after that.
MFC after: 3 days
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
| |
Improve IPsec flow distribution for better netisr parallelism.
Instead of using the pointer that would have the last bits masked in a %
statement in netisr_select_cpuid() to select the queue, use the SPI.
Reviewed by: rwatson
MFC after: 4 weeks
|
| |
|
|
|
|
|
| |
as the SA may be used as soon as key_mature() has been done.
Obtained from: NETASQ
MFC after: 1 week
|
| |
|
|
|
|
|
| |
as SA may be used as soon as key_mature() has been called.
Obtained from: NETASQ
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"Whitspace" churn after the VIMAGE/VNET whirls.
Remove the need for some "init" functions within the network
stack, like pim6_init(), icmp_init() or significantly shorten
others like ip6_init() and nd6_init(), using static initialization
again where possible and formerly missed.
Move (most) variables back to the place they used to be before the
container structs and VIMAGE_GLOABLS (before r185088) and try to
reduce the diff to stable/7 and earlier as good as possible,
to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9.
This also removes some header file pollution for putatively
static global variables.
Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are
no longer needed.
Reviewed by: jhb
Discussed with: rwatson
Sponsored by: The FreeBSD Foundation
Sponsored by: CK Software GmbH
MFC after: 6 days
|
| |
|
|
|
|
|
|
| |
This can prevent kernel panics when updating SPs while
there is some traffic for them.
Obtained from: NETASQ
MFC after: 1m
|
| |
|
|
|
|
|
|
| |
information from the packets.
Reviewed by: bz, mlaier
Approved by: mlaier(mentor)
MFC after: 1 month
|
| |
|
|
|
|
|
|
| |
do not try to free the same list twice but free both the
acquiring list and the security policy acquiring list.
Reviewed by: anchie
MFC after: 3 days
|
| | |
|
| |
|
|
|
| |
PR: kern/123587
MFC after: 5 days
|
| |
|
|
|
|
|
| |
Try to version the struct in a backward compatible way.
People asked for the versioning of the stats structs in general before.
MFC after: 5 days
|
| |
|
|
|
|
| |
(no real functional change).
MFC after: 5 days
|
| |
|
|
|
|
|
|
|
|
|
|
| |
payload size. Before we had always added the header, no matter if we
actually send out compressed data or not.
With this, after the opencrypto/deflate changes, IPcomp starts to work
apart from edge cases. Leave it disabled by default until those are
fixed as well.
PR: kern/123587
MFC after: 5 days
|
| |
|
|
| |
MFC after: 6 days
|
| |
|
|
|
|
| |
the compression algorithm threshold.
MFC after: 6 days
|
| |
|
|
| |
MFC after: 6 days
|
| |
|
|
|
|
|
|
| |
which can both lead to a kernel panic when adding/removing quickly
a lot of SAs.
Obtained from: NETASQ
MFC after: 2w (MFC on 8 before 8.0 release ???)
|
| |
|
|
|
|
|
|
|
| |
may come from outside without being discarded before.
Submitted by: aurelien.ansel@netasq.com
Reviewed by: bz (secteam)
Obtained from: NETASQ
MFC after: 1m
|
| |
|
|
|
|
|
|
|
|
| |
compare them together instead of comparing each one with respective
tunnel endpoint.
PR: kern/138439
Submitted by: aurelien.ansel@netasq.com
Obtained from: NETASQ
MFC after: 1 m
|
| |
|
|
| |
Spotted by: julian
|
| |
|
|
| |
Reported by: bz
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
several critical bugs, including race conditions and lock order issues:
Replace the single rwlock, ifnet_lock, with two locks, an rwlock and an
sxlock. Either can be held to stablize the lists and indexes, but both
are required to write. This allows the list to be held stable in both
network interrupt contexts and sleepable user threads across sleeping
memory allocations or device driver interactions. As before, writes to
the interface list must occur from sleepable contexts.
Reviewed by: bz, julian
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
| |
vnet.h, we now use jails (rather than vimages) as the abstraction
for virtualization management, and what remained was specific to
virtual network stacks. Minor cleanups are done in the process,
and comments updated to reflect these changes.
Reviewed by: bz
Approved by: re (vimage blanket)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
network stacks, VNET_SYSINIT:
- Add VNET_SYSINIT and VNET_SYSUNINIT macros to declare events that will
occur each time a network stack is instantiated and destroyed. In the
!VIMAGE case, these are simply mapped into regular SYSINIT/SYSUNINIT.
For the VIMAGE case, we instead use SYSINIT's to track their order and
properties on registration, using them for each vnet when created/
destroyed, or immediately on module load for already-started vnets.
- Remove vnet_modinfo mechanism that existed to serve this purpose
previously, as well as its dependency scheme: we now just use the
SYSINIT ordering scheme.
- Implement VNET_DOMAIN_SET() to allow protocol domains to declare that
they want init functions to be called for each virtual network stack
rather than just once at boot, compiling down to DOMAIN_SET() in the
non-VIMAGE case.
- Walk all virtualized kernel subsystems and make use of these instead
of modinfo or DOMAIN_SET() for init/uninit events. In some cases,
convert modular components from using modevent to using sysinit (where
appropriate). In some cases, do minor rejuggling of SYSINIT ordering
to make room for or better manage events.
Portions submitted by: jhb (VNET_SYSINIT), bz (cleanup)
Discussed with: jhb, bz, julian, zec
Reviewed by: bz
Approved by: re (VIMAGE blanket)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nor destructors, as there's no actual work to do.
In most cases, the constructors weren't needed because of the existing
protocol initialization functions run by net_init_domain() as part of
VNET_MOD_NET, or they were eliminated when support for static
initialization of virtualized globals was added.
Garbage collect dependency references to modules without constructors or
destructors, notably VNET_MOD_INET and VNET_MOD_INET6.
Reviewed by: bz
Approved by: re (vimage blanket)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
unused custom mutex/condvar-based sleep locks with two locks: an
rwlock (for non-sleeping use) and sxlock (for sleeping use). Either
acquired for read is sufficient to stabilize the vnet list, but both
must be acquired for write to modify the list.
Replace previous no-op read locking macros, used in various places
in the stack, with actual locking to prevent race conditions. Callers
must declare when they may perform unbounded sleeps or not when
selecting how to lock.
Refactor vnet sysinits so that the vnet list and locks are initialized
before kernel modules are linked, as the kernel linker will use them
for modules loaded by the boot loader.
Update various consumers of these KPIs based on whether they may sleep
or not.
Reviewed by: bz
Approved by: re (kib)
|
| |
|
|
|
|
|
|
|
| |
ever actually used. Rename VNET_GET() to VNET() to shorten
variable references.
Discussed with: bz, julian
Reviewed by: bz
Approved by: re (kensmith, kib)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator. Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...). This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack. Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory. Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy. Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address. When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz
Reviewed by: bz, zec
Discussed with: gnn, jamie, jeff, jhb, julian, sam
Suggested by: peter
Approved by: re (kensmith)
|
