aboutsummaryrefslogtreecommitdiff
path: root/sys/netinet
Commit message (Collapse)AuthorAgeFilesLines
* Fix the reported streams in a SCTP_STREAM_RESET_EVENT, if aMichael Tuexen2014-10-163-17/+24
| | | | | | | | | | | sent incoming stream reset request was responded with failed or denied. Thanks to Peter Bostroem from Google for reporting the issue. MFC after: 3 days Notes: svn path=/head/; revision=273168
* Overhaul if_gif(4):Andrey V. Elsukov2014-10-142-278/+60
| | | | | | | | | | | | | | | | | o convert to if_transmit; o use rmlock to protect access to gif_softc; o use sx lock to protect from concurrent ioctls; o remove a lot of unneeded and duplicated code; o remove cached route support (it won't work with concurrent io); o style fixes. Reviewed by: melifaro Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC Notes: svn path=/head/; revision=273087
* Handle small file case with regards to plpmtud blackhole detection.Sean Bruno2014-10-131-1/+9
| | | | | | | | | Submitted by: Mikhail <mp@lenta.ru> MFC after: 2 weeks Relnotes: yes Notes: svn path=/head/; revision=273063
* Catch ipv6 case when attempting to do PLPMTUD blackhole detection.Sean Bruno2014-10-131-0/+5
| | | | | | | | | Submitted by: Mikhail <mp@lenta.ru> MFC after: 2 weeks Relnotes: yes Notes: svn path=/head/; revision=273062
* Fix matching default rule on clear/show commands.Alexander V. Chernikov2014-10-131-0/+5
| | | | | | | Found by: Oleg Ginzburg Notes: svn path=/head/; revision=273035
* A connection in TIME_WAIT state before calling close() actually did notJulien Charbon2014-10-121-1/+3
| | | | | | | | | | | | received any RST packet. Do not set error to ECONNRESET in this case. Differential Revision: https://reviews.freebsd.org/D879 Reviewed by: rpaulo, adrian Approved by: jhb (mentor) Sponsored by: Verisign, Inc. Notes: svn path=/head/; revision=273014
* When deciding whether to call m_pullup() even though there is adequateRobert Watson2014-10-123-7/+6
| | | | | | | | | | | | | | | | | | | data in an mbuf, use M_WRITABLE() instead of a direct test of M_EXT; the latter both unnecessarily exposes mbuf-allocator internals in the protocol stack and is also insufficient to catch all cases of non-writability. (NB: m_pullup() does not actually guarantee that a writable mbuf is returned, so further refinement of all of these code paths continues to be required.) Reviewed by: bz MFC after: 3 days Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D900 Notes: svn path=/head/; revision=272984
* Update ip_divert.ko to depend on version 3 of ipfw.John Baldwin2014-10-111-1/+1
| | | | Notes: svn path=/head/; revision=272941
* Add context pointer and source address to the UDP tunnel callbackBryan Venteicher2014-10-103-7/+13
| | | | | | | | | | | | | | | These are needed for the forthcoming vxlan implementation. The context pointer means we do not have to use a spare pointer field in the inpcb, and the source address is required to populate vxlan's forwarding table. While I highly doubt there is an out of tree consumer of the UDP tunneling callback, this change may be a difficult to eventually MFC. Phabricator: https://reviews.freebsd.org/D383 Reviewed by: gnn Notes: svn path=/head/; revision=272886
* Add missing UDP multicast receive dtrace probesBryan Venteicher2014-10-091-0/+3
| | | | | | | | | Phabricator: https://reviews.freebsd.org/D924 Reviewed by: rpaulo markj MFC after: 1 month Notes: svn path=/head/; revision=272844
* Ensure that the flags field of sctp_tmit_chunks is initialized.Michael Tuexen2014-10-092-24/+29
| | | | | | | | | Thanks to Peter Bostroem from Google for reporting the issue. MFC after: 3 days Notes: svn path=/head/; revision=272841
* Sync to HEAD@r272825.Alexander V. Chernikov2014-10-099-10/+778
|\ | | | | | | Notes: svn path=/projects/ipfw/; revision=272826
| * Move the SCTP syscalls to netinet with the rest of the SCTP code. TheMarcel Moolenaar2014-10-091-0/+588
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | syscalls themselves are tightly coupled with the network stack and therefore should not be in the generic socket code. The following four syscalls have been marked as NOSTD so they can be dynamically registered in sctp_syscalls_init() function: sys_sctp_peeloff sys_sctp_generic_sendmsg sys_sctp_generic_sendmsg_iov sys_sctp_generic_recvmsg The syscalls are also set up to be dynamically registered when COMPAT32 option is configured. As a side effect of moving the SCTP syscalls, getsock_cap needs to be made available outside of the uipc_syscalls.c source file. A proper prototype has been added to the sys/socketvar.h header file. API tests from the SCTP reference implementation have been run to ensure compatibility. (http://code.google.com/p/sctp-refimpl/source/checkout) Submitted by: Steve Kiernan <stevek@juniper.net> Reviewed by: tuexen, rrs Obtained from: Juniper Networks, Inc. Notes: svn path=/head/; revision=272823
| * Check for mbuf copy failure when there are multiple multicast socketsBryan Venteicher2014-10-091-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This partitular case is the only path where the mbuf could be NULL. udp_append() checked for a NULL mbuf only after invoking the tunneling callback. Our only in tree tunneling callback - SCTP - assumed a non NULL mbuf, and it is a bit odd to make the callbacks responsible for checking this condition. This also reduces the differences between the IPv4 and IPv6 code. MFC after: 1 month Notes: svn path=/head/; revision=272797
| * When tunneling interface is going to insert mbuf into netisr queue after ↵Andrey V. Elsukov2014-10-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | stripping outer header, consider it as new packet and clear the protocols flags. This fixes problems when IPSEC traffic goes through various tunnels and router doesn't send ICMP/ICMPv6 errors. PR: 174602 Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC Notes: svn path=/head/; revision=272770
| * Ensure that the list of streams sent in a stream reset parameter fitsMichael Tuexen2014-10-082-3/+11
| | | | | | | | | | | | | | | | in an mbuf-cluster. Thanks to Peter Bostroem for drawing my attention to this part of the code. Notes: svn path=/head/; revision=272751
| * Ensure that the number of stream reported in srs_number_streams isMichael Tuexen2014-10-081-0/+6
| | | | | | | | | | | | | | | | | | | | consistent with the amount of data provided in the SCTP_RESET_STREAMS socket option. Thanks to Peter Bostroem from Google for drawing my attention to this part of the code. Notes: svn path=/head/; revision=272750
| * Implement PLPMTUD blackhole detection (RFC 4821), inspired by codeSean Bruno2014-10-073-1/+168
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | from xnu sources. If we encounter a network where ICMP is blocked the Needs Frag indicator may not propagate back to us. Attempt to downshift the mss once to a preconfigured value. Default this feature to off for now while we do not have a full PLPMTUD implementation in our stack. Adds the following new sysctl's for control: net.inet.tcp.pmtud_blackhole_detection -- turns on/off this feature net.inet.tcp.pmtud_blackhole_mss -- mss to try for ipv4 net.inet.tcp.v6pmtud_blackhole_mss -- mss to try for ipv6 Adds the following new sysctl's for monitoring: -- Number of times the code was activated to attempt a mss downshift net.inet.tcp.pmtud_blackhole_activated -- Number of times the blackhole mss was used in an attempt to downshift net.inet.tcp.pmtud_blackhole_min_activated -- Number of times that we failed to connect after we downshifted the mss net.inet.tcp.pmtud_blackhole_failed Phabricator: https://reviews.freebsd.org/D506 Reviewed by: rpaulo bz MFC after: 2 weeks Relnotes: yes Sponsored by: Limelight Networks Notes: svn path=/head/; revision=272720
* | Add IP_FW_DUMP_SOPTCODES sopt to be able to determineAlexander V. Chernikov2014-10-081-0/+10
| | | | | | | | | | | | | | which opcodes are currently available in kernel. Notes: svn path=/projects/ipfw/; revision=272745
* | Sync to HEAD@r272609.Alexander V. Chernikov2014-10-063-30/+16
|\| | | | | | | Notes: svn path=/projects/ipfw/; revision=272610
| * Minor code styling.Hans Petter Selasky2014-10-061-17/+16
| | | | | | | | | | | | | | Suggested by: glebius @ Notes: svn path=/head/; revision=272595
| * Remove unused MC_ALIGN macro as suggested by Robert.Michael Tuexen2014-10-051-7/+0
| | | | | | | | | | | | | | MFC after: 1 week Notes: svn path=/head/; revision=272571
| * Eliminate use of M_EXT in IP6_EXTHDR_CHECK() by trimming a redundantRobert Watson2014-10-051-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'if'/'else' case: it matches the simple 'else' case that follows. This reduces awareness of external-storage mechanics outside of the mbuf allocator. Reviewed by: bz MFC after: 3 days Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D900 Notes: svn path=/head/; revision=272559
* | Sync to HEAD@r272516.Alexander V. Chernikov2014-10-0443-990/+1304
|\| | | | | | | Notes: svn path=/projects/ipfw/; revision=272517
| * Add an additional routing table lookup when m->m_pkthdr.fibnum is changedHiroki Sato2014-10-021-4/+16
| | | | | | | | | | | | | | | | | | | | at a PFIL hook in ip{,6}_output(). IPFW setfib rule did not perform a routing table lookup when the destination address was not changed. CR: D805 Notes: svn path=/head/; revision=272391
| * Add a sysctl, net.inet.icmp.tstamprepl, which can be used to disable repliesMark Johnston2014-10-011-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | to ICMP Timestamp packets. PR: 193689 Submitted by: Anthony Cornehl <accornehl@gmail.com> MFC after: 3 weeks Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=272378
| * Remove lock init from radix.c.Alexander V. Chernikov2014-10-011-1/+3
| | | | | | | | | | | | | | | | | | Radix has never managed its locking itself. The only consumer using radix with embeded rwlock is system routing table. Move per-AF lock inits there. Notes: svn path=/head/; revision=272361
| * The default for UDPLITE_RECV_CSCOV is zero. RFC 3828 recommendMichael Tuexen2014-10-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | that this means full checksum coverage for received packets. If an application is willing to accept packets with partial coverage, it is expected to use the socekt option and provice the minimum coverage it accepts. Reviewed by: kevlo MFC after: 3 days Notes: svn path=/head/; revision=272347
| * UDPLite requires a checksum. Therefore, discard a received packet ifMichael Tuexen2014-09-301-2/+10
| | | | | | | | | | | | | | | | | | the checksum is 0. MFC after: 3 days Notes: svn path=/head/; revision=272326
| * If the checksum coverage field in the UDPLITE header is the lengthMichael Tuexen2014-09-301-2/+3
| | | | | | | | | | | | | | | | | | | | | | of the complete UDPLITE packet, the packet has full checksum coverage. SO fix the condition. Reviewed by: kevlo MFC after: 3 days Notes: svn path=/head/; revision=272323
| * Only define the full inm_print() if KTR_IGMPV3 is enabled at compile time.John Baldwin2014-09-301-3/+3
| | | | | | | | Notes: svn path=/head/; revision=272316
| * Checksum coverage values larger than 65535 for UDPLite are invalid.Michael Tuexen2014-09-281-1/+1
| | | | | | | | | | | | | | | | | | | | Check for this when the user calls setsockopt using UDPLITE_{SEND,RECV}CSCOV. Reviewed by: kevlo MFC after: 3 days Notes: svn path=/head/; revision=272263
| * * Split tcp_signature_compute() into 2 pieces:Alexander V. Chernikov2014-09-273-54/+116
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - tcp_get_sav() - SADB key lookup - tcp_signature_do_compute() - actual computation * Fix TCP signature case for listening socket: do not assume EVERY connection coming to socket with TCP_SIGNATURE set to be md5 signed regardless of SADB key existance for particular address. This fixes the case for routing software having _some_ BGP sessions secured by md5. * Simplify TCP_SIGNATURE handling in tcp_input() MFC after: 2 weeks Notes: svn path=/head/; revision=272201
| * Remove an un-needed bit of pre-processor work - it all lives insideAdrian Chadd2014-09-271-2/+0
| | | | | | | | | | | | | | #ifdef RSS. Notes: svn path=/head/; revision=272199
| * drop unnecessary ifdef IPSEC's. This file is only compiled when IPSECJohn-Mark Gurney2014-09-261-13/+0
| | | | | | | | | | | | | | | | | | | | | | is defined... Differential Revision: D839 Reviewed by: bz, glebius, gnn Sponsered by: EuroBSDCon DevSummit Notes: svn path=/head/; revision=272177
| * Catch up with r271119.Navdeep Parhar2014-09-241-1/+0
| | | | | | | | Notes: svn path=/head/; revision=272081
| * Improve transmit sending offload, TSO, algorithm in general.Hans Petter Selasky2014-09-224-13/+109
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current TSO limitation feature only takes the total number of bytes in an mbuf chain into account and does not limit by the number of mbufs in a chain. Some kinds of hardware is limited by two factors. One is the fragment length and the second is the fragment count. Both of these limits need to be taken into account when doing TSO. Else some kinds of hardware might have to drop completely valid mbuf chains because they cannot loaded into the given hardware's DMA engine. The new way of doing TSO limitation has been made backwards compatible as input from other FreeBSD developers and will use defaults for values not set. Reviewed by: adrian, rmacklem Sponsored by: Mellanox Technologies MFC after: 1 week Notes: svn path=/head/; revision=271946
| * Add a change missing in r271916.Hiroki Sato2014-09-211-2/+2
| | | | | | | | Notes: svn path=/head/; revision=271920
| * - Virtualize interface cloner for gre(4). This fixes a panic when destroyingHiroki Sato2014-09-211-4/+4
| | | | | | | | | | | | | | | | | | a vnet jail which has a gre(4) interface. - Make net.link.gre.max_nesting vnet-local. Notes: svn path=/head/; revision=271918
| * Mechanically convert to if_inc_counter().Gleb Smirnoff2014-09-191-4/+4
| | | | | | | | Notes: svn path=/head/; revision=271863
| * Remove disabled code, that is very unlikely to be ever enabled again,Gleb Smirnoff2014-09-191-37/+0
| | | | | | | | | | | | | | as well as the comment that explains why is it disabled. Notes: svn path=/head/; revision=271852
| * Fix source address selection on unbound sockets in the presence of multipleAlan Somers2014-09-162-8/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | fibs. Use the mbuf's or the socket's fib instead of RT_ALL_FIBS. Fixes PR 187553. Also fixes netperf's UDP_STREAM test on a nondefault fib. sys/netinet/ip_output.c In ip_output, lookup the source address using the mbuf's fib instead of RT_ALL_FIBS. sys/netinet/in_pcb.c in in_pcbladdr, lookup the source address using the socket's fib, because we don't seem to have the mbuf fib. They should be the same, though. tests/sys/net/fibs_test.sh Clear the expected failure on udp_dontroute. PR: 187553 CR: https://reviews.freebsd.org/D772 MFC after: 3 weeks Sponsored by: Spectra Logic Notes: svn path=/head/; revision=271675
| * Add a explict cast to silence a warning when buildingMichael Tuexen2014-09-161-2/+2
| | | | | | | | | | | | | | | | | | | | the userland stack on Windows. This issue was reported by Peter Kasting from Google. MFC after: 3 days Notes: svn path=/head/; revision=271674
| * Use a consistent type for the number of HMAC algorithms.Michael Tuexen2014-09-164-8/+9
| | | | | | | | | | | | | | | | | | | | | | | | This fixes a bug which resulted in a warning on the userland stack, when compiled on Windows. Thanks to Peter Kasting from Google for reporting the issue and provinding a potential fix. MFC after: 3 days Notes: svn path=/head/; revision=271673
| * Small cleanup which addresses a warning regaring the truncationMichael Tuexen2014-09-161-7/+4
| | | | | | | | | | | | | | | | | | | | of a 64-bit entity to a 32-bit entity. This issue was reported by Peter Kasting from Google. MFC after: 3 days Notes: svn path=/head/; revision=271672
| * FreeBSD-SA-14:19.tcp raised attention to the state of our stackGleb Smirnoff2014-09-161-101/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | towards blind SYN/RST spoofed attack. Originally our stack used in-window checks for incoming SYN/RST as proposed by RFC793. Later, circa 2003 the RST attack was mitigated using the technique described in P. Watson "Slipping in the window" paper [1]. After that, the checks were only relaxed for the sake of compatibility with some buggy TCP stacks. First, r192912 introduced the vulnerability, just fixed by aforementioned SA. Second, r167310 had slightly relaxed the default RST checks, instead of utilizing net.inet.tcp.insecure_rst sysctl. In 2010 a new technique for mitigation of these attacks was proposed in RFC5961 [2]. The idea is to send a "challenge ACK" packet to the peer, to verify that packet arrived isn't spoofed. If peer receives challenge ACK it should regenerate its RST or SYN with correct sequence number. This should not only protect against attacks, but also improve communication with broken stacks, so authors of reverted r167310 and r192912 won't be disappointed. [1] http://bandwidthco.com/whitepapers/netforensics/tcpip/TCP Reset Attacks.pdf [2] http://www.rfc-editor.org/rfc/rfc5961.txt Changes made: o Revert r167310. o Implement "challenge ACK" protection as specificed in RFC5961 against RST attack. On by default. - Carefully preserve r138098, which handles empty window edge case, not described by the RFC. - Update net.inet.tcp.insecure_rst description. o Implement "challenge ACK" protection as specificed in RFC5961 against SYN attack. On by default. - Provide net.inet.tcp.insecure_syn sysctl, to turn off RFC5961 protection. The changes were tested at Netflix. The tested box didn't show any anomalies compared to control box, except slightly increased number of TCP connection in LAST_ACK state. Reviewed by: rrs Sponsored by: Netflix Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=271671
| * Make a type conversion explicit. When compiling this code onMichael Tuexen2014-09-161-1/+1
| | | | | | | | | | | | | | | | | | | | Windows as part of the SCTP userland stack, this fixes a warning reported by Peter Kasting from Google. MFC after: 3 days Notes: svn path=/head/; revision=271670
| * Fix Denial of Service in TCP packet processing.Xin LI2014-09-161-5/+1
| | | | | | | | | | | | | | | | Submitted by: glebius Security: FreeBSD-SA-14:19.tcp Notes: svn path=/head/; revision=271666
| * The MTU is handled as a 32-bit entity within the SCTP stack.Michael Tuexen2014-09-161-1/+1
| | | | | | | | | | | | | | | | | | This was reported by Peter Kasting from Google. MFC after: 3 days Notes: svn path=/head/; revision=271665
| * Ensure the correct software IPv4 hash is done based on the configuredAdrian Chadd2014-09-161-3/+10
| | | | | | | | | | | | | | RSS parameters, rather than assuming we're hashing IPv4+UDP and IPv4+TCP. Notes: svn path=/head/; revision=271660
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-27 03:23:00 +0000