| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
MFC after: 2 weeks
Notes:
svn path=/head/; revision=222742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dynamic rules. We are doing forwarding in the following cases:
o For the simple ipfw fwd rule, e.g.
fwd 10.0.0.1 ip from any to any out xmit em0
fwd 127.0.0.1,3128 tcp from any to any 80 in recv em1
o For the dynamic fwd rule, e.g.
fwd 192.168.0.1 tcp from any to 10.0.0.3 3333 setup keep-state
When this rule triggers it creates a dynamic rule, but this
dynamic rule should forward packets only in forward direction.
o And the last case that does not work before - simple fwd rule which
triggers when some dynamic rule is already executed.
PR: kern/147720, kern/150798
MFC after: 1 month
Notes:
svn path=/head/; revision=222582
|
| |
|
|
|
|
|
| |
MFC after: 1 week
Notes:
svn path=/head/; revision=222560
|
| |
|
|
|
|
|
|
| |
PR: kern/69963
MFC after: 1 week
Notes:
svn path=/head/; revision=222559
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- The existing ipi_lock continues to protect the global inpcb list and
inpcb counter. This lock is now relegated to a small number of
allocation and free operations, and occasional operations that walk
all connections (including, awkwardly, certain UDP multicast receive
operations -- something to revisit).
- A new ipi_hash_lock protects the two inpcbinfo hash tables for
looking up connections and bound sockets, manipulated using new
INP_HASH_*() macros. This lock, combined with inpcb locks, protects
the 4-tuple address space.
Unlike the current ipi_lock, ipi_hash_lock follows the individual inpcb
connection locks, so may be acquired while manipulating a connection on
which a lock is already held, avoiding the need to acquire the inpcbinfo
lock preemptively when a binding change might later be required. As a
result, however, lookup operations necessarily go through a reference
acquire while holding the lookup lock, later acquiring an inpcb lock --
if required.
A new function in_pcblookup() looks up connections, and accepts flags
indicating how to return the inpcb. Due to lock order changes, callers
no longer need acquire locks before performing a lookup: the lookup
routine will acquire the ipi_hash_lock as needed. In the future, it will
also be able to use alternative lookup and locking strategies
transparently to callers, such as pcbgroup lookup. New lookup flags are,
supplementing the existing INPLOOKUP_WILDCARD flag:
INPLOOKUP_RLOCKPCB - Acquire a read lock on the returned inpcb
INPLOOKUP_WLOCKPCB - Acquire a write lock on the returned inpcb
Callers must pass exactly one of these flags (for the time being).
Some notes:
- All protocols are updated to work within the new regime; especially,
TCP, UDPv4, and UDPv6. pcbinfo ipi_lock acquisitions are largely
eliminated, and global hash lock hold times are dramatically reduced
compared to previous locking.
- The TCP syncache still relies on the pcbinfo lock, something that we
may want to revisit.
- Support for reverting to the FreeBSD 7.x locking strategy in TCP input
is no longer available -- hash lookup locks are now held only very
briefly during inpcb lookup, rather than for potentially extended
periods. However, the pcbinfo ipi_lock will still be acquired if a
connection state might change such that a connection is added or
removed.
- Raw IP sockets continue to use the pcbinfo ipi_lock for protection,
due to maintaining their own hash tables.
- The interface in6_pcblookup_hash_locked() is maintained, which allows
callers to acquire hash locks and perform one or more lookups atomically
with 4-tuple allocation: this is required only for TCPv6, as there is no
in6_pcbconnect_setup(), which there should be.
- UDPv6 locking remains significantly more conservative than UDPv4
locking, which relates to source address selection. This needs
attention, as it likely significantly reduces parallelism in this code
for multithreaded socket use (such as in BIND).
- In the UDPv4 and UDPv6 multicast cases, we need to revisit locking
somewhat, as they relied on ipi_lock to stablise 4-tuple matches, which
is no longer sufficient. A second check once the inpcb lock is held
should do the trick, keeping the general case from requiring the inpcb
lock for every inpcb visited.
- This work reminds us that we need to revisit locking of the v4/v6 flags,
which may be accessed lock-free both before and after this change.
- Right now, a single lock name is used for the pcbhash lock -- this is
undesirable, and probably another argument is required to take care of
this (or a char array name field in the pcbinfo?).
This is not an MFC candidate for 8.x due to its impact on lookup and
locking semantics. It's possible some of these issues could be worked
around with compatibility wrappers, if necessary.
Reviewed by: bz
Sponsored by: Juniper Networks, Inc.
Notes:
svn path=/head/; revision=222488
|
| |
|
|
|
|
|
| |
MFC after: 2 weeks
Notes:
svn path=/head/; revision=222474
|
| |
|
|
|
|
|
|
| |
PR: kern/156410
MFC after: 2 weeks
Notes:
svn path=/head/; revision=222473
|
| |
|
|
|
|
|
|
| |
PR: 156838
MFC after: 1 week
Notes:
svn path=/head/; revision=221521
|
| |
|
|
|
|
|
| |
Submitted by: Brandon Gooch <jamesbrandongooch gmail.com>
Notes:
svn path=/head/; revision=220914
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Move fw_one_pass to where it belongs: it is a property of ipfw,
not of ip_input.
Reviewed by: gnn
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 3 days
Notes:
svn path=/head/; revision=220878
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
calculate required memory size dynamically.
- Fix races on chain re-lock.
- Introduce new field to ip_fw_chain - generation count. Now utilized
only in the NAT configuration, but can be utilized wider in ipfw.
- Get rid of NAT_BUF_LEN in ip_fw.h
PR: kern/143653
Notes:
svn path=/head/; revision=220837
|
| |
|
|
|
|
|
|
|
| |
and .pipe_slot_limit oids to prevent to set incorrect values.
MFC after: 2 weeks
Notes:
svn path=/head/; revision=220832
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
specified minimum and maximum. In case when specified default value
is out of bounds it does not work as expected and does not limit
variable. Check that default value is in range and limit it if needed.
Also bump max_hash_size value to 65536 to correspond with manual page.
PR: kern/152887
MFC after: 2 weeks
Notes:
svn path=/head/; revision=220831
|
| |
|
|
|
|
|
| |
MFC after: 1 week
Notes:
svn path=/head/; revision=220812
|
| |
|
|
|
|
|
| |
and its callers.
Notes:
svn path=/head/; revision=220800
|
| |
|
|
|
|
|
|
| |
PR: kern/156180
Reviewed by: luigi
Notes:
svn path=/head/; revision=220796
|
| |
|
|
|
|
|
|
|
|
| |
even when tag is already exists.
Reported by: Vadim Goncharov
MFC after: 1 week
Notes:
svn path=/head/; revision=220568
|
| |
|
|
|
|
|
|
| |
PR: kern/153415
MFC after: 1 week
Notes:
svn path=/head/; revision=220211
|
| |
|
|
|
|
|
| |
MFC after: 1 week
Notes:
svn path=/head/; revision=220204
|
| |
|
|
|
|
|
|
|
|
| |
was not freed.
PR: kern/156083
MFC after: 1 week
Notes:
svn path=/head/; revision=220203
|
| |
|
|
|
|
|
|
|
| |
PR: bin/154928
Submitted by: Eitan Adler <lists at eitanadler.com>
MFC after: 3 days
Notes:
svn path=/head/; revision=218909
|
| |
|
|
|
|
|
|
|
|
| |
and thus unbreak loading dummynet.ko via /boot/loader.conf.
Reported by: rihad <rihad att mail.ru> on freebsd-net
Approved by: kib (mentor)
Notes:
svn path=/head/; revision=218741
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the dec.2009 rewrite I introduced a bug, using for the
computation the arrival time instead of the time the packet
has exited from the queue.
The bandwidth computation was still correct because it is
computed elsewhere, but traffic was sent out in bursts.
The bug is also present in RELENG_8 after dec.2009
Thanks to Daikichi Osuga for investingating, finding and fixing the
bug with detailed graphs of the behaviour before and after the fix.
Submitted by: Daikichi Osuga
MFC after: 2 weeks
Notes:
svn path=/head/; revision=218360
|
| |
|
|
|
|
|
| |
Reviewed by: luigi
Notes:
svn path=/head/; revision=217361
|
| |
|
|
|
|
|
| |
Commit the net* piece.
Notes:
svn path=/head/; revision=217322
|
| |
|
|
|
|
|
| |
Reviewed by: luigi
Notes:
svn path=/head/; revision=217110
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DPCPU_DEFINE and VNET_DEFINE macros, as these cause problems for various
people working on the affected files. A better long-term solution is
still being considered. This reversal may give some modules empty
set_pcpu or set_vnet sections, but these are harmless.
Changes reverted:
------------------------------------------------------------------------
r215318 | dim | 2010-11-14 21:40:55 +0100 (Sun, 14 Nov 2010) | 4 lines
Instead of unconditionally emitting .globl's for the __start_set_xxx and
__stop_set_xxx symbols, only emit them when the set_vnet or set_pcpu
sections are actually defined.
------------------------------------------------------------------------
r215317 | dim | 2010-11-14 21:38:11 +0100 (Sun, 14 Nov 2010) | 3 lines
Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout
the tree.
------------------------------------------------------------------------
r215316 | dim | 2010-11-14 21:23:02 +0100 (Sun, 14 Nov 2010) | 2 lines
Add macros to define static instances of VNET_DEFINE and DPCPU_DEFINE.
Notes:
svn path=/head/; revision=215701
|
| |
|
|
|
|
|
| |
the tree.
Notes:
svn path=/head/; revision=215317
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the "sockarg" ipfw option matches packets associated to
a local socket and with a non-zero so_user_cookie value.
The value is made available as tablearg, so it can be used
as a skipto target or pipe number in ipfw/dummynet rules.
Code by Paul Joe, manpage by me.
Submitted by: Paul Joe
MFC after: 1 week
Notes:
svn path=/head/; revision=215179
|
| |
|
|
|
|
|
|
|
| |
it was necessary.
Submitted by: Riccardo Panicucci
Notes:
svn path=/head/; revision=213329
|
| |
|
|
|
|
|
|
|
|
|
| |
It was meant to reset idle_time (and it was not needed),
but i even used the wrong field.
Obtained from: Oleg
MFC after: 3 days
Notes:
svn path=/head/; revision=213279
|
| |
|
|
| |
Notes:
svn path=/head/; revision=213267
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes the bug where setting bw > 1 MTU/tick resulted in
infinite bandwidth if io_fast=1
PR: 147245 148429
Obtained from: Riccardo Panicucci
MFC after: 3 days
Notes:
svn path=/head/; revision=213265
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
net.inet.ip.fw.one_pass and always moved to the next rule
in case of a successful nat.
This should fix several related PR (waiting for feedback
before closing them)
PR: 145167 149572 150141
MFC after: 3 days
Notes:
svn path=/head/; revision=213254
|
| |
|
|
|
|
|
|
|
|
|
| |
+ remove an unused macro,
+ adjust the constants in an enum
+ small whitespace changes
MFC after: 3 days
Notes:
svn path=/head/; revision=213253
|
| |
|
|
|
|
|
|
| |
Reported by: Alexander Levin <amindomao googlemail.com>
MFC after: 1 week
Notes:
svn path=/head/; revision=212256
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pseudo-interface. This leads to a panic due to uninitialized
if_broadcastaddr address. Initialize it and implement ip_output()
method to prevent mbuf leak later.
ipfw pseudo-interface should never send anything therefore call
panic(9) in if_start() method.
PR: kern/149807
Submitted by: Dmitrij Tejblum
MFC after: 2 weeks
Notes:
svn path=/head/; revision=211992
|
| |
|
|
|
|
|
|
|
|
|
|
| |
net.inet.ip.fw.one_pass sysctl.
The "ngtee" action is still broken.
PR: kern/148885
Submitted by: Nickolay Dudorov <nnd mail.nsk.ru>
Notes:
svn path=/head/; revision=210537
|
| |
|
|
|
|
|
| |
run the timer routine on cpu 0.
Notes:
svn path=/head/; revision=210123
|
| |
|
|
| |
Notes:
svn path=/head/; revision=210120
|
| |
|
|
| |
Notes:
svn path=/head/; revision=210119
|
| |
|
|
|
|
|
| |
Prodded by: julian
Notes:
svn path=/head/; revision=209845
|
| |
|
|
|
|
|
|
|
| |
a stub m_hdr instead of a full mbuf.
PR: kern/148050
Notes:
svn path=/head/; revision=209797
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
"match" processing at the end of inner loop would look ahead into the next
rule, which is incorrect. Particularly, in the case when the next rule
started with F_NOT opcode it was skipped blindly.
To fix this, exit the inner loop with the continue operator forcibly and
explicitly.
PR: kern/147798
Notes:
svn path=/head/; revision=209589
|
| |
|
|
|
|
|
| |
after a merge, etc.)
Notes:
svn path=/head/; revision=206845
|
| |
|
|
|
|
|
|
|
| |
This adds the explicit include (so far probably included through one of the
few "hidden" includes in other header files) for vnet.h and adds a cast
to unbreak LINT-VIMAGE.
Notes:
svn path=/head/; revision=206461
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
compiled with "options VIMAGE".
As it is now, there is still a single instance of the pipes,
and it is only usable from vnet0 (the main instance).
Trying to use a pipe from a different vimage does not crash
the system as it did before, but the traffic coming out from
the pipe goes to the wrong place, and i still need to
figure out where.
Support for per-vimage pipes is almost there (just a matter of
uncommenting the VNET_* definitions for dn_cfg, plus putting into
the structure the remaining static variables), however i need
first to figure out how init/uninit work, and also to understand
where packets are ending up on exit from a pipe.
In summary: vimage support for dummynet is not complete yet,
but we are getting there.
Notes:
svn path=/head/; revision=206428
|
| |
|
|
|
|
|
| |
MFC after: 3 days
Notes:
svn path=/head/; revision=206425
|
| |
|
|
|
|
|
|
| |
A few more tests and this will also go into -stable where
the problem is more critical.
Notes:
svn path=/head/; revision=206339
|
| |
|
|
|
|
|
| |
(stable/8 just fixed moments ago)
Notes:
svn path=/head/; revision=205955
|
