| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- push all bridge logic from if_ethersubr.c into bridge.c
make bridge_in() return mbuf pointer (or NULL).
- call only bridge_in() from ether_input(), after ng_ether_input()
was optinally called.
- call bridge_in() from ng_ether_rcv_upper().
Long description: http://lists.freebsd.org/mailman/htdig/freebsd-net/2004-May/003881.html
Reported by: Jian-Wei Wang <jwwang at FreeBSD.csie.NCTU.edu.tw>
Tested by: myself, Sergey Lyubka
Reviewed by: sam
Approved by: julian (mentor)
MFC after: 2 months
Notes:
svn path=/head/; revision=136428
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
passing along socket information. This is required to work around a LOR with
the socket code which results in an easy reproducible hard lockup with
debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do
so later. The missing piece is to turn the filter locking into a leaf lock
and will follow in a seperate (later) commit.
This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in
forseeable future.
Suggested by: rwatson
A lot of work by: csjp (he'd be even more helpful w/o mentor-reviews ;)
Reviewed by: rwatson, csjp
Tested by: -pf, -ipfw, LINT, csjp and myself
MFC after: 3 days
LOR IDs: 14 - 17 (not fixed yet)
Notes:
svn path=/head/; revision=135920
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
compile option. All FreeBSD packet filters now use the PFIL_HOOKS API and
thus it becomes a standard part of the network stack.
If no hooks are connected the entire packet filter hooks section and related
activities are jumped over. This removes any performance impact if no hooks
are active.
Both OpenBSD and DragonFlyBSD have integrated PFIL_HOOKS permanently as well.
Notes:
svn path=/head/; revision=134383
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and preserves the ipfw ABI. The ipfw core packet inspection and filtering
functions have not been changed, only how ipfw is invoked is different.
However there are many changes how ipfw is and its add-on's are handled:
In general ipfw is now called through the PFIL_HOOKS and most associated
magic, that was in ip_input() or ip_output() previously, is now done in
ipfw_check_[in|out]() in the ipfw PFIL handler.
IPDIVERT is entirely handled within the ipfw PFIL handlers. A packet to
be diverted is checked if it is fragmented, if yes, ip_reass() gets in for
reassembly. If not, or all fragments arrived and the packet is complete,
divert_packet is called directly. For 'tee' no reassembly attempt is made
and a copy of the packet is sent to the divert socket unmodified. The
original packet continues its way through ip_input/output().
ipfw 'forward' is done via m_tag's. The ipfw PFIL handlers tag the packet
with the new destination sockaddr_in. A check if the new destination is a
local IP address is made and the m_flags are set appropriately. ip_input()
and ip_output() have some more work to do here. For ip_input() the m_flags
are checked and a packet for us is directly sent to the 'ours' section for
further processing. Destination changes on the input path are only tagged
and the 'srcrt' flag to ip_forward() is set to disable destination checks
and ICMP replies at this stage. The tag is going to be handled on output.
ip_output() again checks for m_flags and the 'ours' tag. If found, the
packet will be dropped back to the IP netisr where it is going to be picked
up by ip_input() again and the directly sent to the 'ours' section. When
only the destination changes, the route's 'dst' is overwritten with the
new destination from the forward m_tag. Then it jumps back at the route
lookup again and skips the firewall check because it has been marked with
M_SKIP_FIREWALL. ipfw 'forward' has to be compiled into the kernel with
'option IPFIREWALL_FORWARD' to enable it.
DUMMYNET is entirely handled within the ipfw PFIL handlers. A packet for
a dummynet pipe or queue is directly sent to dummynet_io(). Dummynet will
then inject it back into ip_input/ip_output() after it has served its time.
Dummynet packets are tagged and will continue from the next rule when they
hit the ipfw PFIL handlers again after re-injection.
BRIDGING and IPFW_ETHER are not changed yet and use ipfw_chk() directly as
they did before. Later this will be changed to dedicated ETHER PFIL_HOOKS.
More detailed changes to the code:
conf/files
Add netinet/ip_fw_pfil.c.
conf/options
Add IPFIREWALL_FORWARD option.
modules/ipfw/Makefile
Add ip_fw_pfil.c.
net/bridge.c
Disable PFIL_HOOKS if ipfw for bridging is active. Bridging ipfw
is still directly invoked to handle layer2 headers and packets would
get a double ipfw when run through PFIL_HOOKS as well.
netinet/ip_divert.c
Removed divert_clone() function. It is no longer used.
netinet/ip_dummynet.[ch]
Neither the route 'ro' nor the destination 'dst' need to be stored
while in dummynet transit. Structure members and associated macros
are removed.
netinet/ip_fastfwd.c
Removed all direct ipfw handling code and replace it with the new
'ipfw forward' handling code.
netinet/ip_fw.h
Removed 'ro' and 'dst' from struct ip_fw_args.
netinet/ip_fw2.c
(Re)moved some global variables and the module handling.
netinet/ip_fw_pfil.c
New file containing the ipfw PFIL handlers and module initialization.
netinet/ip_input.c
Removed all direct ipfw handling code and replace it with the new
'ipfw forward' handling code. ip_forward() does not longer require
the 'next_hop' struct sockaddr_in argument. Disable early checks
if 'srcrt' is set.
netinet/ip_output.c
Removed all direct ipfw handling code and replace it with the new
'ipfw forward' handling code.
netinet/ip_var.h
Add ip_reass() as general function. (Used from ipfw PFIL handlers
for IPDIVERT.)
netinet/raw_ip.c
Directly check if ipfw and dummynet control pointers are active.
netinet/tcp_input.c
Rework the 'ipfw forward' to local code to work with the new way of
forward tags.
netinet/tcp_sack.c
Remove include 'opt_ipfw.h' which is not needed here.
sys/mbuf.h
Remove m_claim_next() macro which was exclusively for ipfw 'forward'
and is no longer needed.
Approved by: re (scottl)
Notes:
svn path=/head/; revision=133920
|
| |
|
|
|
|
|
| |
without Giant if we're not debug.mpsafenet=1.
Notes:
svn path=/head/; revision=131630
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
functionality by setting to a non-zero value. This is an integer, but
is treated as a boolean by the code, so clamp it to a boolean value
when set so as to avoid unnecessary bridge reinitialization if it's
changed to another value.
PR: kern/61174
Requested by: Bruce Cran
Notes:
svn path=/head/; revision=131571
|
| |
|
|
|
|
|
| |
the respective drivers.
Notes:
svn path=/head/; revision=130549
|
| |
|
|
| |
Notes:
svn path=/head/; revision=129880
|
| |
|
|
|
|
|
| |
do not use struct arpcom directly, rather use IFP2AC(ifp).
Notes:
svn path=/head/; revision=128617
|
| |
|
|
|
|
|
|
| |
Tested by: -current, bms(mentor), me
Approved by: bms(mentor), sam
Notes:
svn path=/head/; revision=126239
|
| |
|
|
|
|
|
|
|
| |
not working properly with the patch in place.
Approved by: bms(mentor)
Notes:
svn path=/head/; revision=125952
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
them mostly with packet tags (one case is handled by using an mbuf flag
since the linkage between "caller" and "callee" is direct and there's no
need to incur the overhead of a packet tag).
This is (mostly) work from: sam
Silence from: -arch
Approved by: bms(mentor), sam, rwatson
Notes:
svn path=/head/; revision=125784
|
| |
|
|
|
|
|
| |
PR: kern/60251
Notes:
svn path=/head/; revision=123808
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.
This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.
Approved By: re (in principle)
Reviewed By: njl, imp
Tested On: i386, amd64, sparc64
Obtained From: NetBSD (if_xname)
Notes:
svn path=/head/; revision=121816
|
| |
|
|
|
|
|
|
|
|
|
|
| |
then the mbuf has been consumed by a hook; otherwise beware of a null
mbuf return (gack). In particular the bridge was doing the wrong thing.
While in the ipv6 code make it's handling of pfil_run_hooks identical
to netbsd.
Pointed out by: Pyun YongHyeon <yongari@kt-is.co.kr>
Notes:
svn path=/head/; revision=120593
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
o revamp IPv4+IPv6+bridge usage to match API changes
o remove pfil_head instances from protosw entries (no longer used)
o add locking
o bump FreeBSD version for 3rd party modules
Heavy lifting by: "Max Laier" <max@love2party.net>
Supported by: FreeBSD Foundation
Obtained from: NetBSD (bits of pfil.h and pfil.c)
Notes:
svn path=/head/; revision=120386
|
| |
|
|
| |
Notes:
svn path=/head/; revision=120177
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
o replace magic constants with #defines (e.g. ETHER_ADDR_LEN)
o move mib variables to net.link.ether.bridge with backwards compatible
entries for well-known items maintained under BURN_BRIDGES
o revamp debugging support so it is conditioanlly compiled with BRIDGE_DEBUG
(on currently) and runtime controlled by net.link.ether.bridge.debug
o change timeout to MPSAFE callout
o optimize lookup for common case of two interfaces
o optimize forwarding path to take IFNET lock only when needed
o make boot-time printf dependent on bootverbose
o sundry style changes (ANSI decls, extraneous spaces, etc.)
Sponsored by: FreeBSD Foundation
Notes:
svn path=/head/; revision=120139
|
| |
|
|
|
|
|
| |
Approved by: trb
Notes:
svn path=/head/; revision=111119
|
| |
|
|
|
|
|
|
|
|
|
|
| |
warning which breaks builds.
cc1: warnings being treated as errors
src/sys/net/bridge.c: In function `bdg_forward':
sys/net/bridge.c:931: warning: suggest parentheses around assignment used as truth value
*** Error code 1
Notes:
svn path=/head/; revision=110768
|
| |
|
|
|
|
|
| |
munging the IP header to pass to the hooks
Notes:
svn path=/head/; revision=110733
|
| |
|
|
|
|
|
| |
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
Notes:
svn path=/head/; revision=109623
|
| |
|
|
|
|
|
|
|
|
|
| |
revision 1.62. It was checking for M_PREPEND() failing, not for the
case of a NULL mbuf pointer being supplied to the macro. Back out
that revision, and fix the NULL dereference by not calling EH_RESTORE()
in the case where the mbuf pointer is NULL because the firewall
rejected the packet.
Notes:
svn path=/head/; revision=108326
|
| |
|
|
|
|
|
| |
NULL dereference if a bridged packet was rejected by ipfw.
Notes:
svn path=/head/; revision=108319
|
| |
|
|
| |
Notes:
svn path=/head/; revision=108172
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
the mbuf allocator flags {M_TRYWAIT, M_DONTWAIT}.
o Fix a bpf_compat issue where malloc() was defined to just call
bpf_alloc() and pass the 'canwait' flag(s) along. It's been changed
to call bpf_alloc() but pass the corresponding M_TRYWAIT or M_DONTWAIT
flag (and only one of those two).
Submitted by: Hiten Pandya <hiten@unixdaemons.com> (hiten->commit_count++)
Notes:
svn path=/head/; revision=108107
|
| |
|
|
|
|
|
|
| |
Reviewed by: many
Approved by: re
Notes:
svn path=/head/; revision=106938
|
| |
|
|
|
|
|
| |
Spotted by: FlexeLint.
Notes:
svn path=/head/; revision=105217
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
inpcb parameter to ip_output and ip6_output to allow the IPsec code to
locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version
Reviewed by: julian, luigi (silent), -arch, -net, darren
Approved by: julian, silence from everyone else
Obtained from: openbsd (mostly)
MFC after: 1 month
Notes:
svn path=/head/; revision=105194
|
| |
|
|
|
|
|
|
| |
to uintptr_t rather than u_int to avoid warnings on
64 bits architectures.
Notes:
svn path=/head/; revision=104570
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I should have committed this ages ago.
The MFC for if_ethersubr.c could be done in the usual few days (only
ipfw2 uses it), the one for bridge.c should probably wait until
after 4.7 because it changes an existing though mostly undocumented
behaviour (on which i hope nobody relies). All in all, i'll wait for
both things unless there is demand.
MFC after: 35 days
Notes:
svn path=/head/; revision=103242
|
| |
|
|
|
|
|
|
| |
BSS instead of DATA. This marginally reduces the kernel image size, though
the difference is almost irrelevant for compressed kernels.
Notes:
svn path=/head/; revision=99555
|
| |
|
|
|
|
|
| |
Approved by: luigi
Notes:
svn path=/head/; revision=99340
|
| |
|
|
|
|
|
|
|
|
|
| |
o Use an appropriate constant for interface name buffer.
Reviewed by: luigi
Approved by: luigi
MFC after: 1 month
Notes:
svn path=/head/; revision=99339
|
| |
|
|
| |
Notes:
svn path=/head/; revision=98669
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
packet forwarding state ("annotations") during ip processing.
The code is considerably cleaner now.
The variables removed by this change are:
ip_divert_cookie used by divert sockets
ip_fw_fwd_addr used for transparent ip redirection
last_pkt used by dynamic pipes in dummynet
Removal of the first two has been done by carrying the annotations
into volatile structs prepended to the mbuf chains, and adding
appropriate code to add/remove annotations in the routines which
make use of them, i.e. ip_input(), ip_output(), tcp_input(),
bdg_forward(), ether_demux(), ether_output_frame(), div_output().
On passing, remove a bug in divert handling of fragmented packet.
Now it is the fragment at offset 0 which sets the divert status of
the whole packet, whereas formerly it was the last incoming fragment
to decide.
Removal of last_pkt required a change in the interface of ip_fw_chk()
and dummynet_io(). On passing, use the same mechanism for dummynet
annotations and for divert/forward annotations.
option IPFIREWALL_FORWARD is effectively useless, the code to
implement it is very small and is now in by default to avoid the
obfuscation of conditionally compiled code.
NOTES:
* there is at least one global variable left, sro_fwd, in ip_output().
I am not sure if/how this can be removed.
* I have deliberately avoided gratuitous style changes in this commit
to avoid cluttering the diffs. Minor stule cleanup will likely be
necessary
* this commit only focused on the IP layer. I am sure there is a
number of global variables used in the TCP and maybe UDP stack.
* despite the number of files touched, there are absolutely no API's
or data structures changed by this commit (except the interfaces of
ip_fw_chk() and dummynet_io(), which are internal anyways), so
an MFC is quite safe and unintrusive (and desirable, given the
improved readability of the code).
MFC after: 10 days
Notes:
svn path=/head/; revision=98613
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
were totally useless and have been removed.
ip_input.c, ip_output.c:
Properly initialize the "ip" pointer in case the firewall does an
m_pullup() on the packet.
Remove some debugging code forgotten long ago.
ip_fw.[ch], bridge.c:
Prepare the grounds for matching MAC header fields in bridged packets,
so we can have 'etherfw' functionality without a lot of kernel and
userland bloat.
Notes:
svn path=/head/; revision=96245
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# sysctl net.link.ether.bdg_ipf=1
To enable. Just like ipfw(8) bridging, only input packets are filtered
in the bridge. Filtering works just like in the IP layer, ipf(8)
first, then ipfw(8). And just like in the IP layer, both are
independent, one need not be run to use the other. (Note: This will
not work in, but doesn't break, the bridge.ko module. The ipl.ko
module would need to be fixed before that is worth worrying about.)
Reviewed by: luigi
Notes:
svn path=/head/; revision=92522
|
| |
|
|
|
|
|
|
|
|
|
| |
was meant to take.
Submitted by: luigi
Approved by: luigi
MFC after: 3 days
Notes:
svn path=/head/; revision=91650
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
deprecated in favor of the POSIX-defined lowercase variants.
o Change all occurrences of NTOHL() and associated marcros in the
source tree to use the lowercase function variants.
o Add missing license bits to sparc64's <machine/endian.h>.
Approved by: jake
o Clean up <machine/endian.h> files.
o Remove unused __uint16_swap_uint32() from i386's <machine/endian.h>.
o Remove prototypes for non-existent bswapXX() functions.
o Include <machine/endian.h> in <arpa/inet.h> to define the
POSIX-required ntohl() family of functions.
o Do similar things to expose the ntohl() family in libstand, <netinet/in.h>,
and <sys/param.h>.
o Prepend underscores to the ntohl() family to help deal with
complexities associated with having MD (asm and inline) versions, and
having to prevent exposure of these functions in other headers that
happen to make use of endian-specific defines.
o Create weak aliases to the canonical function name to help deal with
third-party software forgetting to include an appropriate header.
o Remove some now unneeded pollution from <sys/types.h>.
o Add missing <arpa/inet.h> includes in userland.
Tested on: alpha, i386
Reviewed by: bde, jake, tmm
Notes:
svn path=/head/; revision=90868
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order of importance:
+ each cluster now uses private data structures (filtering and
local address tables) so you can treat them as fully independent
switches. This part of the work was supported by:
Cisco Systems, Inc. - NSITE lab, RTP, NC.
+ cleaned up the handling of configuration, so the system will behave
much better when real or pseudo devices are dynamically attached
or detached. It should also not panic anymore on systems with large
number of devices, closing a few existings PRs on the topic.
+ while at it, add support for VLAN. This means that a FreeBSD box
can now work as a real VLAN switch, with trunk interfaces etc.
As an example:
ifconfig vlan0 vlan 3 vlandev dc0
ifconfig vlan1 vlan 4 vlandev dc0
net.link.ether.bridge_cfg="vlan0:3,dc1:3,vlan1:4,dc1:4"
uses dc0 as a trunk interface, and dc1 and dc3 as ports on vlans 3 and 4
You get the idea...
NOTA BENE: by default bridge_cfg is initialised to "" so even if
you enable bridging, no packets will be bridged until you set the
list of interfaces on which you want this to happen.
+ large restructuring of the code, moving private vars and types from
bridge.h to bridge.c.
+ added a lot of comments to the code to explain how to use it.
Notes:
svn path=/head/; revision=90678
|
| |
|
|
| |
Notes:
svn path=/head/; revision=86843
|
| |
|
|
|
|
|
| |
into stable (mostly , but not only, formatting and comments changes).
Notes:
svn path=/head/; revision=86047
|
| |
|
|
|
|
|
| |
Spotted-by: diff(1)
Notes:
svn path=/head/; revision=85812
|
| |
|
|
|
|
|
| |
Reviewed by: freebsd-net
Notes:
svn path=/head/; revision=85181
|
| |
|
|
|
|
|
| |
not guaranteed to be dense with respect to the actual list of interfaces.
Notes:
svn path=/head/; revision=84853
|
| |
|
|
|
|
|
| |
Submitted by: billf
Notes:
svn path=/head/; revision=84516
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
+ implement "limit" rules, which permit to limit the number of sessions
between certain host pairs (according to masks). These are a special
type of stateful rules, which might be of interest in some cases.
See the ipfw manpage for details.
+ merge the list pointers and ipfw rule descriptors in the kernel, so
the code is smaller, faster and more readable. This patch basically
consists in replacing "foo->rule->bar" with "rule->bar" all over
the place.
I have been willing to do this for ages!
MFC after: 1 week
Notes:
svn path=/head/; revision=84058
|
| |
|
|
| |
Notes:
svn path=/head/; revision=78248
|
| |
|
|
|
|
|
|
| |
In ip_fw.[ch] change a couple of variable and field names to
avoid having types, variables and fields with the same name.
Notes:
svn path=/head/; revision=72270
|
